WASHINGTON, D.C. – U.S. Senator Bob Menendez (D-N.J.), a senior member of the Senate Finance Committee that sets national health policy, today was joined by Sens. Kamala Harris (D-Calif.), Richard Blumenthal (D-Conn.) and Cory Booker (D-N.J.) in a letter to Apple raising concerns about the company’s COVID-19 screening tools and the safety and security of private health data that will potentially be collected from users. In their March 27 announcement, Apple maintained it will collect "some information" to help improve the site but failed to identify what that information would include.

“While we acknowledge Apple’s statements regarding user privacy and that the questionnaire tools ‘do not require a sign-in or association with a user’s Apple ID, and users’ individual responses will not be sent to Apple or any government organization,’ we are nonetheless concerned for the safety and security of Americans’ private health data,” Sens. Menendez, Blumenthal, Harris and Booker wrote to Apple’s CEO, Tim Cook.

“…[A]ll data collected via Apple’s screening tools should remain confidential and must not be used for any commercial purposes in the future Apple should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, we would like to better understand your efforts to keep any collected information safe from potential hackers, foreign state and non-state actors with nefarious intent, and other criminal enterprises,” the senators continued.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the flow of healthcare information and stipulates how personally identifiable information is maintained and shared.

The senators also asked Mr. Cook to provide the specific terms of any agreement between Apple and the federal government and/or state governments related to their screening tools.

The Trump Administration announced on March 13 that Google would develop a national screening website, however, it has only been made available in some counties in California. Shortly after that announcement, Sen. Menendez and a group of colleagues expressed their concerns about privacy and cybersecurity vulnerabilities to the Administration and Google.

The full text of the letter can be found here and below.

Dear Mr. Cook,

We write to express our concerns and to obtain information about your company’s launch of a virus screening application and website for SARS-CoV-2. As COVID-19 continues to spread, application and website developers are moving quickly to provide reliable at-home risk assessment and symptom screening tools to advise whether individuals should be evaluated for infection. Although, the use of technological innovations and collaboration with the private sector is a necessary component to combating COVID-19, Americans should not have to trade their privacy at the expense of public health needs.

As you know, on March, 27, 2020, the Centers for Disease Control and Prevention (CDC) announced the release of an app and website created by Apple in partnership with the White House Coronavirus Task Force and the U.S. Department of Health and Human Services. The app and website are designed for individuals to complete a questionnaire about their health and exposure to determine if they should seek care for COVID-19 symptoms. Both the website and app guide users through a diagnostic questionnaire, and once completed, provide CDC recommendations on next steps including guidance on social distancing and self-isolating, how to closely monitor symptoms, recommendations on testing, and when to contact a medical provider.

While we acknowledge Apple’s statements regarding user privacy and that the questionnaire tools “do not require a sign-in or association with a user’s Apple ID, and users’ individual responses will not be sent to Apple or any government organization,” we are nonetheless concerned for the safety and security of Americans’ private health data. Additionally, Apple maintained that although it will not collect personal information, it will collect "some information" to help improve the site without identifying what that information will be.

In the interest of Americans during these unprecedented times, all data collected via Apple’s screening tools should remain confidential and must not be used for any commercial purposes in the future. Moreover, Apple should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA). Additionally, we would like to better understand your efforts to keep any collected information safe from potential hackers, foreign state and non-state actors with nefarious intent, and other criminal enterprises.

To address these concerns, please provide answers to the following questions no later than April 10, 2020. We appreciate your efforts to protect Americans and we look forward to your response.

1. Please provide the specific terms of any agreement between your company and the federal government and/or state governments.

2. Are the Apple screening site and app governed under the terms of the HIPAA? If not, please explain why.

3. What are the specific data retention policies regarding any and all information entered into the website and app by individuals?

4. Can individuals who use the website and app access and monitor the data that Apple collects about them?

5. Will Apple commit that it will refrain from using data collected on the website and app for commercial purposes?

6. Will Apple commit to refraining from sharing or selling the data collected on the website and app to third parties?

7. What specific cybersecurity safeguards will be utilized to ensure the security of the data entered on the website and app?

8. Will the website and app be accessible to those with disabilities?

Sincerely,

###