$200,000 Penalty for Impermissible Sharing of Premom App Users’ Health Data
Easy Healthcare, the developer and distributor of the Premom Ovulation Tracker (Premom) app, has agreed to settle an FTC complaint that alleged violations of the FTC Act and Health Breach Notification Rule related to the sharing of app users’ health data with third parties without consent.
The Premom app allows users to track their periods and ovulation cycles. The app allows users to upload pictures of ovulation test strips that the app analyses to predict the user’s next ovulation cycle and the app allows users to upload health data from other devices and apps. The app has been downloaded by hundreds of thousands of women, and between 2017 and 2020, the terms and conditions of use stated, “We do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes.” During that period, the FTC alleged the Premom app transmitted the sensitive health information of app users to third-party advertisers without user consent.
The FTC’s Health Breach Notification Rule ensures entities not covered by the Health Insurance Portability and Accountability Act (HIPAA) face accountability for breaches of consumers’ sensitive health data. The Rule requires notifications to be issued to consumers when there has been a breach of individually identifiable health information, and in September 2021, the FTC issued a policy statement confirming that developers of health apps have a responsibility to secure any collected health data and must prevent unauthorized access.
According to the FTC complaint, Easy Healthcare told app users that their health data would not be shared with third parties without their knowledge or consent and falsely claimed the information it shared with third parties was non-identifiable, and would only be used for internal analytics. The FTC found that since 2018, Easy Healthcare shared Premom user data with Google LLC and the marketing firm AppsFlyers Inc, and between 2018 and 2020, Premom user data was shared with two Chinese mobile analytics companies – Jiguang (aka Aurora Mobile Ltd) and Umeng, and no effort was made by Easy Healthcare to restrict the uses of users’ health data by those companies. As such, the companies could use the data for a broad range of purposes, including advertising. In addition to health data, numbers unique to each mobile device (IMEI numbers) were also shared, along with precise geolocation data. The data sharing only stopped when the Google Play Store informed Easy Healthcare that the data sharing violated Play Store policies.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FTC determined that Easy Healthcare failed to implement reasonable privacy and data security measures, in violation of the FTC Act. The disclosures meant Easy Healthcare was required to notify app users, the FTC, and the media. The FTC determined that timely and proper notice was not provided, in violation of the Health Breach Notification Rule. “Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
If the order is approved by the court, Easy Healthcare will pay a civil monetary penalty of $100,000 to the Treasurer of the United States. A $100,000 settlement was also agreed with the states of Connecticut, Oregon, and the District of Columbia, which assisted the FTC with the investigation. “Given the intimate health data that apps like Premom collect and what that may reveal about when a pregnancy starts or stops, it is critical that user information is kept safe and private,” said Attorney General Tong. “Our settlement forces Easy Healthcare to adopt strict privacy requirements to ensure that its users’ information is appropriately protected.”
Easy Healthcare has also been ordered to cease sharing personal health data with third parties for advertising purposes and must contact the third parties that were sent user data and request that information is deleted. Easy Healthcare has also agreed to make improvements to its privacy and security practices and conduct regular privacy and security audits.
Easy Healthcare agreed to settle the case with the FTC to avoid the time and expense of litigation, and the decision to settle is not an admission of wrongdoing. “Rest assured that we do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes. At Easy Healthcare, we adhere to the promises we make to our users. Protecting users’ data is a high priority, which is why we have always been transparent with and cooperated fully throughout the FTC’s review of our privacy program. We remain committed to these principles,” said Easy Healthcare in a statement.
