FTC Finds that Ovulation Tracking App Violated the Health Breach Notification Rule

by | May 18, 2023 | Data Breach Laws, FTC (Federal Trade Commission), Government Enforcement, Privacy & Consent

  • FTC is seeking $200,000 in penalties against a developer of a fertility app for disclosing sensitive information to third parties.

  • The Premom App promised users that it would not share their health information with 3rd parties without consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising.

  • However, the FTC found that the Premom App used 3rd party tracking tools that shared highly sensitive health information for advertising purposes without obtaining consumers’ affirmative express consent.
Subscribe HERE to Legal HIE’s backend compliance library to gain access to tools, checklists, whitepapers, sample policies and a lot more to help your organization stay on top of the newest compliance challenges in 2023!

On May 17, the FTC published a Press Release related to a new enforcement action against Easy Healthcare, the developer of a fertility app called Premom. The Premom App, which is free to download and used by hundreds of thousands of people, says it helps users track ovulation, periods, and other health information. The app encourages users to provide information about their menstrual cycles, fertility, and pregnancy as well as to import their data from other apps such as Apple Health.

The FTC asserts that the Premom App deceived users by sharing their sensitive personal information with third parties, including two China-based firms, disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the FTC’s Health Breach Notification (HBN) Rule. This is the FTC’s second enforcement of the HBN Rule in just a just over 3 months (its first enforcement was against GoodRx, which I covered here).

In a complaint  filed by the DOJ, the FTC states that Easy Healthcare’s Premom App repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising (so, how many times have we heard that one from vendors before, right?). However, despite what it said it was doing,the FTC found that Easy Healthcare failed to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs) and shared highly sensitive health information (e.g., data about an individual user’s sexual & reproductive health, pregnancy status etc.) for advertising purposes without obtaining consumers’ affirmative express consent.

The FTC also alleged that the Premom App integrated SDKs from other third parties including from app analytics provider Umeng and analytics provider Jiguang and shared sensitive user data. This included Premom users’ social media account information and precise geolocation information, as well as data about their mobile devices and Wi-Fi network identifiers, which cannot be changed without buying a new device. These non-resettable identifiers can be used to identify individuals, according to the complaint.

The FTC is assessing a $100,000 civil penalty against Easy Healthcare for violating the HBN Rule. It is also asking that Easy Healthcare be:

  • Permanently prohibited from sharing user personal health data with third parties for advertising;
  • Required to obtain user consent before sharing personal health data with third parties for other purposes;
  • Required to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected;
  • Prohibited from making future misrepresentations about Easy Healthcare’s privacy practices and required to comply with the HBN Rule’s notification requirements for any future breach of security;
  • Required to seek deletion of data it shared with third parties;
  • Required to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
  • Required to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.

Interestingly, this is what the Premom App privacy disclosures look like now:

source: https://play.google.com/store/apps/details?id=premom.eh.com.ehpremomapp&shortlink=fb91a919&Medium=header-button&c=premom+website&pid=Premom.com&source_caller=ui&pli=1

As part of a related action, Easy Healthcare is also being required to pay a total of $100,000 to Connecticut, the District of Columbia and Oregon, which worked with the FTC on this matter, for violating their respective laws.

    Print Friendly, PDF & Email
    Share this:

    If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

    Archives