Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Data Privacy

FTC Health Breach Notification Rule: What Non-HIPAA Health Data Holders Must Report and When

The FTC's 2024 amendments to the Health Breach Notification Rule dramatically expanded coverage to health apps, wellness platforms, and connected devices — with enforcement actions totaling $9+ million. Here's what every fintech and non-HIPAA health data holder needs to know.

By Rebecca Leung · June 30, 2026 ·
Table of Contents

TL;DR

  • The FTC’s 2024 amendments to the Health Breach Notification Rule explicitly cover health apps, wellness platforms, connected devices, and non-HIPAA PHR vendors — effective July 29, 2024
  • “Breach of security” now includes intentional but unauthorized corporate data-sharing decisions, not just hacking — meaning ad-tech integrations that share health data without authorization are covered
  • Three enforcement actions (GoodRx, Premom/Easy Healthcare, BetterHelp) have already produced $9+ million in penalties and consumer refunds, with multi-year ad-data prohibitions
  • The 60-day notification clock starts when anyone in the company knows OR should have known — and you must now identify third parties who received the health data in your consumer notice

Most compliance teams running a fintech or digital health company operate with a clear mental model: if we’re not a covered entity under HIPAA, we don’t have HIPAA breach notification obligations. That’s true. It’s also increasingly irrelevant.

The Federal Trade Commission finalized significant amendments to its Health Breach Notification Rule (HBNR) in April 2024, effective July 29, 2024. Those amendments do one thing with precision: they make clear that the gap between “HIPAA-covered” and “unregulated” does not exist for health data collected outside the healthcare system. Health apps. Wellness platforms. Reproductive tracking tools. HSA/FSA-adjacent products. Fitness wearables. Connected blood pressure cuffs.

The FTC has already brought three enforcement actions under the rule — GoodRx, Premom, and BetterHelp — producing $9+ million in penalties and consumer relief plus multi-year bans on sharing health data with advertisers. These are not warning shots. The rule is live, it is enforced, and the 2024 amendments made it sharper.

What the FTC Health Breach Notification Rule Actually Covers

The HBNR applies to three categories of entities specifically not covered by HIPAA:

Vendors of Personal Health Records (PHR vendors) — companies that offer or maintain electronic records of identifiable health information with the capacity to draw information from multiple sources. Think: a personal health dashboard that pulls data from a hospital portal, wearable, and patient-entered history. If you aggregate individual health data from more than one source, you are likely a PHR vendor.

PHR-related entities — companies that offer products or services through the online services (including mobile applications) of a PHR vendor. If your app integrates with a PHR vendor’s platform, you inherit coverage.

Third-party service providers — business entities that provide services involving the use, maintenance, disclosure, or disposal of PHR identifiable health information on behalf of PHR vendors or PHR-related entities. This pulls in billing processors, data analytics firms, cloud storage providers, and others in the supply chain.

The 2024 amendments made explicit what regulators had been arguing since 2021: health apps are covered. Fitness trackers that sync to proprietary health apps, ovulation tracking applications, mental health platforms, meditation apps that collect health questionnaire data, blood glucose monitoring systems — all covered if they meet the PHR vendor or PHR-related entity definitions.

What Now Counts as a “Breach of Security”

This is where the 2024 amendments changed the game for compliance programs built around cybersecurity-incident definitions of breach.

The prior rule defined breach as unauthorized acquisition of unsecured PHR identifiable health information. That was recognizable: a hacker exfiltrating a database.

The amended rule now includes:

Unauthorized disclosures — when a covered entity intentionally but without proper authorization discloses health information to third parties. If your company shared medication data with Facebook’s advertising API without users’ knowing, knowing permission-scope authorization, that’s a breach under the FTC rule. The FTC has been explicit: this is not limited to cybersecurity intrusions or “nefarious behavior.” A corporate policy decision can constitute a breach.

Unauthorized uses — when an entity “exceeds authorized access” to use PHR identifiable health information for a secondary purpose not originally authorized by the individual.

Presumption of breach — unauthorized access is presumed to include unauthorized acquisition unless the covered entity has reliable evidence that no unauthorized acquisition occurred.

This expanded definition is the reason GoodRx fell. GoodRx disclosed that patients had searched for medications — mental health drugs, HIV medications, fertility treatments — to Facebook and Google for advertising purposes. Users had not authorized that disclosure. Under the FTC rule, that was a breach regardless of whether any system was compromised.

The Notification Requirements: Who, What, and When

The 60-day clock runs from the date of discovery — defined as the date on which the breach became known to any employee, officer, or agent of the covered entity, or the date it should reasonably have been known. This is a lower threshold than “when the incident response investigation concludes.”

Individual Notification

Every affected U.S. citizen or resident must receive individual notice within 60 calendar days. The 2024 amendments significantly expanded what that notice must contain:

  • Description of what happened, in plain language
  • Date of discovery
  • Types of health information involved
  • Identity (or description if naming would pose a risk) of any third parties that acquired the unsecured health information
  • Contact information for those third parties
  • Measures affected individuals can take to protect themselves
  • What the entity is doing to investigate and prevent future breaches
  • Contact information for the entity

The third-party identification requirement is new and consequential. If you shared health data with an ad tech company and that sharing constitutes a breach, you must now tell your users which company received their data and how to contact them. This makes the notification substantially more informative — and substantially more difficult if you’ve been sharing data without tracking who received it.

FTC Notification

Breach SizeObligationTiming
500+ individuals affectedNotify FTC simultaneously with individual noticesWithin 60 days of discovery
Fewer than 500 individualsSubmit annual breach log to FTCBy 60 days after calendar year end

The FTC maintains an online portal for breach submissions: ftc.gov/health-breach-notification. For breaches affecting 500 or more, this is a simultaneous obligation — you cannot complete individual notification first and then get around to the FTC.

Media Notification

If a breach affects 500 or more residents of a single state, DC, or U.S. territory, you must notify prominent media outlets serving that jurisdiction within 60 days. This is a geographic threshold, not a total-count threshold. A breach affecting 600 people across 12 states triggers media notification in each state where 500+ residents are affected.

Most companies miss this in their breach notification matrices because they focus on total count, not state-level count. The threshold for media notification can be reached in a single state even if the overall breach is small.

How This Differs from HIPAA

The most dangerous compliance assumption in health data management is that HIPAA and the FTC HBNR cover the same ground. They don’t.

DimensionFTC Health Breach Notification RuleHIPAA Breach Notification Rule
Who is coveredNon-HIPAA health apps, PHR vendors, connected devices, service providersHIPAA covered entities and business associates
Breach definitionUnauthorized acquisition, access, disclosure, or use — including intentional corporate data sharingUnauthorized acquisition, access, use, or disclosure of PHI due to security failure
Regulator notifiedFTCHHS Office for Civil Rights
Third-party identification in noticeRequired (2024 amendment)Not required
Media threshold500+ in a single state/territory500+ in a single state (cumulative)
Small-breach reportingAnnual log to FTCAnnual summary to HHS

The critical practical difference: HIPAA covers health entities you expect (hospitals, insurance companies, their vendors). The FTC rule covers the rest of the health data ecosystem — and that ecosystem has expanded dramatically with digital health, wearables, and embedded wellness features in fintech products.

The Enforcement Record: What Got Companies in Trouble

The FTC has brought three enforcement actions under the HBNR since 2023, establishing the agency’s enforcement posture and the types of conduct that trigger liability.

GoodRx Holdings (February 2023) — The first enforcement action under the rule. GoodRx shared health information (including specific prescription medications and health conditions) with Facebook, Google, Criteo, and other advertising companies for years, despite promising users their data would “never” be shared with advertisers. FTC settlement: $1.5 million civil penalty, plus a permanent bar from sharing health data for advertising and multi-year compliance reporting.

Easy Healthcare Corporation / Premom (May 2023) — The Premom ovulation tracking app shared sensitive reproductive health data with third parties including China-based analytics companies, disclosed data to AppsFlyer and Google for advertising, and failed to encrypt data it shared. FTC settlement: $100,000 civil penalty, permanent bar from sharing health data for advertising.

BetterHelp (July 2023) — The mental health counseling platform shared users’ sensitive mental health information (email addresses, IP addresses, health questionnaire responses) with Facebook, Snapchat, Criteo, and Pinterest for advertising — despite privacy promises. FTC action resulted in $7.8 million in consumer refunds — the largest consumer-directed health data enforcement action at the time — plus a permanent ban on further data sharing for advertising.

In all three cases, the common thread wasn’t a hacker. It was a deliberate corporate decision to share health data with advertising platforms without adequate authorization — exactly the “unauthorized disclosure” scenario the 2024 amendments explicitly addressed in the rule text.

What Fintechs and Non-Healthcare Companies Actually Need to Do

Step 1: Determine whether you’re a covered entity

Map your data flows. If your product collects or processes any of the following, and you’re not a HIPAA-covered entity:

  • Information about health conditions, treatments, diagnoses
  • Prescription medication data
  • Mental health or substance use data
  • Reproductive health data (ovulation, pregnancy, fertility)
  • Biometric data used for health monitoring (blood pressure, blood glucose, weight)
  • Insurance or benefits data linked to health conditions

…you need to determine whether you qualify as a PHR vendor or PHR-related entity. The PHR definition — electronic record of identifiable health information that can draw from multiple sources — covers a surprising range of products, including HSA/FSA platforms that aggregate transaction data with health codes.

Step 2: Audit your third-party data-sharing relationships

The GoodRx and Premom enforcement actions both involved sharing health data with advertising technology companies. Before those actions, many companies considered this standard ad-tech practice. Under the FTC HBNR, it can be a breach.

Inventory every third party receiving health data. Assess whether the sharing exceeds what users authorized. For advertising-related integrations: segregate health data from behavioral/demographic data before passing to ad platforms, or obtain specific consent for health-data-informed advertising.

Step 3: Build a notification-ready operations structure

The 60-day clock runs from when anyone should have known. That means your breach detection → assessment → notification pipeline needs to start at detection, not at the conclusion of a lengthy investigation.

Key elements:

  • Documented breach discovery date (journal entries, incident ticket timestamps)
  • Third-party data recipient inventory (you need to name them in the consumer notice)
  • Individual contact information accuracy verification
  • FTC portal submission workflow
  • State-level media notification threshold tracking by incident

Step 4: Update your incident response plan

If your IRP was built around HIPAA or state breach notification laws, add an HBNR track. The state breach notification law frameworks differ from the FTC HBNR in important ways — different regulators, different content requirements, different thresholds. Running both tracks simultaneously requires a coordination workflow.

Similarly, if you’re running a privacy impact assessment for new health data features, include HBNR coverage analysis as a required section.

Step 5: Document the authorization basis for every health data use

Under the expanded breach definition, using health data beyond its authorized scope is itself a breach. Your privacy notice is the authorization document. If your privacy notice says “we use your data to provide health tracking” and you then share it with an advertising partner, you’ve exceeded the authorization. Keep privacy notices current, specific, and accurate — especially for health data use cases. Review them after each new ad-tech or analytics integration.

So What? The Practitioner Takeaway

The FTC Health Breach Notification Rule has been in place since 2009. What changed in 2024 is precision: the FTC explicitly stated that health apps are covered, that intentional corporate data sharing decisions can constitute breaches, and that breach notices must name the third parties who received health data.

Three enforcement actions in two years, $9+ million in penalties and consumer refunds, and permanent advertising bans tell you this is not a paper tiger. The companies that fell: a medication discount platform, a fertility tracking app, a mental health counseling service. Each assumed their data practices were lawful because they weren’t HIPAA-covered. Each was wrong.

For fintechs running HSA/FSA products, health spending analytics, wellness programs, or any product that touches health data without a HIPAA business associate agreement: run the HBNR coverage analysis now, before you discover you needed it.

The FTC’s compliance guide is the starting point. The Federal Register final rule contains the full text of the 2024 amendments. And for organizations working through the broader framework of health data obligations — HIPAA, HBNR, state health privacy laws — the HIPAA Security Rule overhaul provides context on what’s changing inside the HIPAA perimeter.

The gap between “not HIPAA-regulated” and “unregulated” closed in 2024. The FTC’s enforcement record makes clear it intends to keep it closed.


Need a structured framework for documenting your health data flows, mapping third-party sharing relationships, and building your breach notification workflow? The Data Privacy Compliance Kit includes templates for data inventory mapping, breach assessment, and DSAR workflows across GDPR, CCPA/CPRA, GLBA, and state privacy laws.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Does the FTC Health Breach Notification Rule apply if we're already covered by HIPAA?
No. The FTC Health Breach Notification Rule specifically covers entities NOT covered by HIPAA — including health apps, PHR vendors, connected device companies, and their service providers. If you're a HIPAA-covered entity, you comply with HHS's breach notification rule instead. The two frameworks are designed to be complementary, not overlapping.
How is a 'breach of security' defined under the FTC rule — and is it different from HIPAA?
Yes, significantly different. The FTC rule (as amended in 2024) covers unauthorized acquisition AND unauthorized access to health information — including intentional but unauthorized corporate decisions to share data with advertisers. You don't need a hacker to have a breach: a company that deliberately shares health data with third parties beyond its authorized purpose can trigger the rule. HIPAA's breach definition focuses on security incidents and unauthorized uses/disclosures; the FTC rule covers the same plus the broader 'unauthorized disclosure' concept.
We're a fintech with an HSA or FSA product. Does the FTC Health Breach Notification Rule apply to us?
Potentially, yes — it depends on whether your product qualifies as a 'vendor of personal health records.' If you maintain electronic records of identifiable health information that can draw data from multiple sources, and if that health data isn't protected by HIPAA through a covered entity relationship, the FTC rule may apply to your HSA/FSA platform. The GLBA Safeguards Rule covers financial data; the FTC HBNR covers health data those financial products collect — they can coexist.
What is the notification timeline under the FTC Health Breach Notification Rule?
For breaches affecting 500 or more individuals: notify the FTC simultaneously with individual notice within 60 calendar days of discovery. For breaches affecting fewer than 500 individuals: submit a log to the FTC annually. For breaches affecting 500 or more residents of a single state, DC, or US territory: notify prominent media outlets in that jurisdiction, also within 60 days. The clock starts when anyone in the company knew or reasonably should have known.
What does the FTC actually require in the breach notice to consumers?
The 2024 amendments expanded the required content significantly. Beyond describing what happened and the types of health information involved, you must now include: the identity (or description) of any third parties that acquired the health information, their contact information, and what steps affected individuals can take to protect themselves. This is materially more than HIPAA's notice requirements and reflects the FTC's specific concern about health data shared with advertisers and data brokers.
Are there penalties for violating the FTC Health Breach Notification Rule?
Yes. The FTC can seek civil penalties for knowing violations. As of 2024, the penalty cap is approximately $51,744 per violation per day. Enforcement actions to date have resulted in civil penalties (GoodRx: $1.5M, Premom: $100K) plus conduct-based relief including multi-year prohibitions on sharing health data with advertisers and mandatory compliance reporting. The BetterHelp action resulted in $7.8M in consumer refunds — the largest consumer health data enforcement action as of 2023.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Data Privacy Compliance Kit

Multi-state privacy compliance templates covering 19 state laws plus GLBA and CCPA.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.