Good Morning Everyone,
A year into the FTC’s revamped Health Breach Notification Rule, regulators have made clear that “non-HIPAA” health apps will be held to breach-reporting standards on par with hospitals. Meanwhile, OCR’s proposed HIPAA overhaul would lock in annual penetration testing, and California just set a new CCPA record with a $1.55 million settlement against Healthline for leaking diagnosis-level browsing data. Federal, state, and consumer expectations are rising in tandem—so now is the time to make sure your security controls, privacy contracts, and incident-response playbooks are air-tight. Dive into the details below:
Regulatory Updates
FTC’s overhauled Health Breach Notification Rule marks first year in force
The amendments adopted on April 26 2024 and published May 30 2024 took effect July 29 2024, giving health-app and wearable vendors nearly a full year of real-world obligations. The rule broadened “breach” to include any unauthorized sharing of identifiable health data—not just hacking—so routine transmissions to ad-tech or analytics partners can now trigger 60-day notice duties to users, the FTC, and (when 500 + individuals are affected) the media. Service providers must alert their app customers within the same window, and civil penalties top $51,744 per violation (indexed annually). In its first year of enforcement, the FTC cited the rule in headline settlements with GoodRx and fertility-tracking app Premom, alleging both firms quietly funneled prescription and reproductive-health data to Facebook, Google and other partners without consent. The message is clear: even “non-HIPAA” actors must inventory data flows, encrypt sensitive records, and rehearse incident-response playbooks—or risk punitive fines and ongoing oversight. Learn more at Reuters
HIPAA Security Rule overhaul would mandate annual penetration tests
On Dec 24 2024 OCR released a sweeping Notice of Proposed Rulemaking, published in the Federal Register on Jan 6 2025, that—once finalized—will require covered entities and business associates to commission qualified cybersecurity professionals to run both external and internal penetration tests at least every 12 months (and more often if a risk analysis warrants), perform bi-annual vulnerability scans, and embed multi-factor authentication across the stack. The draft also mandates a formal incident-response plan capable of restoring critical ePHI systems within 72 hours, with documented procedures, workforce reporting channels, and routine testing and revision. Pen tests must realistically mimic today’s threat landscape to validate security controls and uncover weaknesses in networks, apps, Wi-Fi and connected devices that create, receive or transmit ePHI. While HIPAA’s current Security Rule treats many technical safeguards as “addressable,” the proposal would convert them to hard requirements—a clear signal after OCR’s recent ransomware settlements. The comment period closed Mar 7 2025; with a final rule expected later this year, lining up third-party ethical hackers and rehearsing tabletop exercises now will put organizations ahead of the curve. Learn more at Lexology
Enforcement Actions
Healthline pays record $1.55 M in CCPA tracking-data case
California AG Rob Bonta announced on July 1 2025 a settlement (pending court approval) with Healthline Media—the fourth and largest CCPA action to date—imposing a $1.55 million penalty and ordering the health-information giant to repair its opt-out tools, vet ad-tech contracts, and, critically, cease leaking article titles that reveal sensitive diagnoses to third-party trackers. Investigators found Healthline ignored Global Privacy Control signals, ran a deceptive cookie banner, and shared identifiers plus browsing data that could flag conditions like multiple sclerosis, violating both the statute’s opt-out right and “purpose-limitation” rule. The decree also mandates a robust compliance program with ongoing contract audits and accurate privacy disclosures. Surpassing the 2022 Sephora case, the action follows DoorDash and Tilting Point settlements and a recent location-data sweep—signaling that California is tightening the reins on publishers and advertisers alike when health-related browsing data is at stake. Learn more at the CA Office of the Attorney General
Closing Thoughts
With the FTC spotlighting ad-tech data sharing, OCR pushing deeper technical audits, and the California DOJ expanding CCPA fines, compliance can’t be a once-a-year checkbox. Inventory every data flow (especially trackers), schedule your next pen test, and hard-wire opt-out signals and MFA before regulators—or attackers—beat you to it.
Stay secure and have a productive week!
.jpg)