On March 23, 2017, New York State Attorney General Eric T. Schneiderman announced settlements with three mobile health application (app) development companies aimed at curbing deceptive marketing practices and inadequate privacy disclosures to consumers. The settlements – reached with Cardiio, Inc., Matis Ltd., and Runtastic GmbH, respectively – target health measurement apps that “purport to measure vital signs or other indicators of health using only a smartphone’s camera and sensors, without any need for an external device.”

The Office of Attorney General (OAG) expressed concern that growing consumer reliance on health-related apps “can be harmful” if the apps provide inaccurate or misleading results because they could cause consumers to potentially forgo necessary medical treatment, or conversely incur unnecessary treatment, in reliance on false assurances of health provided by such apps. In the settlements the OAG highlighted apparent issues it had identified with each of the developers’ apps, including:

  • That both Cardiio and Runtastic created a “net impression” via claims made on their websites and in app store listings that their respective heart rate monitor apps would accurately measure and monitor a consumer’s heart rate “without providing sufficient evidence substantiating” their claims regarding the app’s accuracy; and
  • That Matis made unsubstantiated claims regarding its fetal heartbeat app’s ability to monitor and play the sound of a fetal heartbeat by placing a smartphone on a woman’s stomach.

The OAG also cited deficiencies in each developer’s privacy practices as grounds for its enforcement actions. For example, the OAG cited two developers for relying on a “default consent” by users to be bound by their respective privacy policies as a condition of submitting data related to their conditions, and faulted each entity for not informing users that their personal information may not be protected under HIPAA. The OAG also found that the developers failed to fully disclose the types of information collected and stored by their apps.

To resolve the OAG’s investigations, the developers agreed to pay monetary penalties, document substantiation of claims concerning app-functionality, and also to update their disclosures to consumers. Among other obligations, the developers were required to more clearly notify consumers that the apps are not for medical use, and to agree to not make false or misleading marketing claims. Cardiio and Runtastic also agreed to require users to affirmatively consent to be bound by their respective app’s privacy policy. As health-related mobile apps proliferate to increase patient engagement and wellness, this enforcement action serves as a reminder to developers in the highly-regulated health care market of the need to implement accurate marketing materials and comprehensive privacy policies.

This post is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.