Health data is the expensive kind to lose. The worst part is the leak you can’t measure.

Your app is a zip file anyone can open, and last time I listed the four things I find inside. Suppose one of them is real: a stranger pulls a plain database of patient records off a phone, or finds a live key that opens your back end. The next question is what it costs you, and the answer turns on one fact. This is health data.

Health data is its own category

Not all personal data is treated the same. Your customers' names and email addresses are worth protecting, and losing them is bad. Losing the fact that someone uses a therapy app, a fertility tracker, or an HIV-status tool is worse, because that fact can cost someone a job, or out a private diagnosis to people they never told. Regulators understand this, so they put health data in a heavier class of its own.

In Europe, the law calls this a special category and reserves its heaviest penalties for mishandling it: up to €20 million, or four per cent of a company's worldwide turnover, whichever is larger. In the United States the dedicated health-privacy law, HIPAA, covers hospitals, insurers, and the companies that work for them. The label and the numbers differ across countries. The message does not: this is the data you least want to lose.

The trap: "we are not a medical device, so this does not apply"

A lot of health apps assume the strict rules are for someone else. They are a wellness app, not a medical device. They are not a hospital, so HIPAA is not their problem. For a growing number of them, that assumption is now wrong, and it costs them.

In the United States, a federal rule updated in 2024 covers exactly these apps: the health and wellness products that sit outside HIPAA. Under it, a "breach" is not only a hacker breaking in. Quietly sharing a user's health data with the advertising and analytics code baked into your app counts too, and the regulator has already fined well-known apps for doing it. On top of that, new state laws go further. Washington's health-data law lets the affected people sue you directly, with no need to wait for a regulator and no minimum company size to hide behind.

In Europe, the special-category rules apply to health data whether or not you ever call your app a medical device. Choosing the lighter regulatory label for your product does not move your users' data into a lighter class. The data is what it is, and the law follows the data.

The clock starts when you find out

When health data leaks, you do not get to investigate quietly for a few months and announce it when you are ready. Europe expects you to report a serious breach to the regulator within about three days of discovering it. The American rules and the state laws have their own deadlines, and some now let your customers take you to court while you are still working out what happened. The moment you know, the clock is running, and "we were still looking into it" is not a defence anyone accepts.

The leak you cannot measure

All of this ties back to the file on the phone, in a way that ought to worry you more than the fine.

To report a breach honestly, you have to answer a simple question: whose data, and how much? If your patient records lived in a single system on your servers, with logs of who touched them, you can answer it. You can say which accounts were exposed and when, and notify those people. The incident is contained because it is measurable.

A plain database shipped inside the app is the opposite. Once that file is on a customer's phone, you have no record of anything. You cannot tell who opened it, who copied it, or whether it was read once or a thousand times. If it leaks, you cannot scope the damage, because the damage happened on devices you never see. The only honest breach notice you can write is the one no board wants to sign: we believe every user may be affected, and we cannot narrow it down.

That is the real cost of the findings from the last two pieces. The encryption on your server, the one your security page is proud of, protects the copy of the data you can already see. It does nothing for the copy you handed to every person who installed the app. A leak you can measure is a bad week. A leak you cannot measure is the one that ends up with your company's name in it.

One question to take upstairs

Ask the people who run your app one thing: if we had to file a breach notice tomorrow, could we say exactly whose health data was exposed, and how much? A confident answer means your data lives somewhere you can see and measure. A pause, or a shrug, means it does not, and that the breach notice would be the bad kind. Either way you have learned something, on a quiet afternoon, instead of in a letter from a regulator.

This is the third of five short pieces on what sits inside medical apps and which rules they break. Next: the European rule that stops treating this as your company's problem and starts naming you, personally.

Sèrge Koval is a security architect in Luxembourg, working on iOS and macOS. He wrote Secure Development of iOS and macOS Apps and takes apart real App Store apps for a living. He is on LinkedIn at linkedin.com/in/skoval.