State AGs Urge Apple to Improve Privacy and Security Controls for Reproductive Healthcare Data

By | November 24, 2022

A group of 10 state Attorney Generals recently wrote to Apple CEO, Tim Cook, urging the company to implement stronger privacy and security controls for applications available through the Apple App Store that track, collect, store, or transmit reproductive health data. The letter was written by Matthew Platkin, Attorney General of New Jersey, and was signed by the attorneys general of California, Connecticut, Illinois, Massachusetts, North Carolina, Oregon, Vermont, Washington, and Washington, D.C.

The decision of the Supreme Court in Dobbs v. Jackson Women’s Health Organization removed the Federal right to an abortion and gave individual states the power to regulate abortions and several states have already introduced bans or severe restrictions on abortions. The state AGs are concerned that the health information collected through health apps “can be weaponized against consumers by law enforcement, private entities, or individuals.”

AG Platkin cited a study conducted by the Mozilla Foundation of the most popular reproductive health apps to assess the security of health apps and how the apps collect, use, share, and retain user data. The privacy policies of many of the apps were opaque, especially regarding disclosures to law enforcement, and 18 of the 25 most popular apps – including period trackers, pregnancy/fertility apps, and health and fitness apps – either failed to abide by proper privacy and security practices or obfuscated the scope of the data collected by the apps. Many of the apps also failed to meet minimum standards for security, such as encrypting data, providing automatic security updates, having a clear and easily accessible privacy policy, and did not require strong passwords to be set. A majority of the apps also prompted users to input data that was outside the scope of the health services offered by the apps.

The AGs say the privacy and security gaps associated with health apps available through the App Store threaten the privacy and safety of App Store customers, and that runs directly counter to Apple’s publicly expressed commitment to protect user data. Apple maintains that strong privacy controls are built into the Apple Health app, such as 2-factor authentication and all health data is encrypted until an Apple iPhone is unlocked by using a passcode, Touch ID, or Face ID. Health data is also encrypted at rest and in transit when it is synched to iCloud, and the latest version of iOS and watchOS have default 2FA and passcode-restricted access, which means Apple is unable to view users’ health data. Apple also maintains that there are already fine-grained controls for third-party health apps that use the HealthKit framework, which let users specify what information can be read by the apps, and users of third-party apps must either grant or deny permission for each app to read and write data to the HealthKit store.

The state AGs claim Apple has not done enough to protect user privacy and have urged the company to go further.  They have called for Apple to require third-party app developers to delete non-essential user data, such as location history, search history, and other related information of consumers who may be seeking access to reproductive healthcare. They urge Apple to display clear and conspicuous notices advising iPhone users that there is the potential for reproductive healthcare data to be disclosed to third parties, and to require all third-party app developers only to disclose reproductive healthcare data if they are issued with a valid subpoena, search warrant, or court order. Third-party apps that collect, user, store, or transmit reproductive health data, or that synch with user health data on Apple devices, should be required to match or exceed the privacy and security standards of Apple. If any health app does not meet these standards, Apple should remove the apps from the App Store, and should conduct periodic audits of apps to ensure compliance with these standards.

“[The] provision of an app or service should not come at the cost of consumers losing control of their health data. To that end, Apple should pursue these measures to protect consumers’ reproductive health privacy. These steps will ensure that Apple stays true to its commitment “to provide a safe experience for users,” wrote AG Platkin.

The post State AGs Urge Apple to Improve Privacy and Security Controls for Reproductive Healthcare Data appeared first on HIPAA Journal.