Health tracking app charged by FTC for sharing sensitive information

Image via Unsplash

Fertility app Premom has been charged by the Federal Trade Commission (FTC) for sharing users' sensitive information with third parties, and sharing sensitive health data to Google. According to the FTC, this is in violation of the Health Breach Notification Rule (HBNR). This is the FTC’s second enforcement action involving the Health Breach Notification Rule following a settlement announced in February with telehealth and prescription drug discount provider GoodRx Holdings Inc.

As part of a proposed order filed by the Department of Justice on behalf of the FTC, Illinois-based Easy Healthcare Corporation, which operates the Premom app, would be barred from sharing users’ personal health data with third parties for advertising, required to obtain users’ consent before sharing health data for any other purpose and must tell consumers how their personal data will be used. The proposed order must be approved by the federal court to go into effect.

The Premom app helps users track ovulation, periods and other health information, and also sells ovulation test kits. The app encourages users to provide information about their menstrual cycles, fertility and pregnancy as well as to import their data from other apps such as Apple Health.

In a complaint also filed by the Department of Justice, the FTC says that Easy Healthcare repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising. Easy Healthcare failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs) and shared health information for advertising purposes without obtaining consumers’ affirmative express consent, according to the FTC.

Premom failed to fully disclose its data sharing practices, and also violated direct promises to users, the FTC says. The data it shared with third parties revealed highly sensitive and private details about Premom’s users and led to the unauthorized disclosure of facts about an individual user’s sexual and reproductive health, parental and pregnancy status as well as other information about physical health conditions and status.

The FTC says Premom deceived users by disclosing such sensitive and identifiable health information to marketing firm AppsFlyer and Google through the integration of each company’s SDK. An SDK tracks a user’s interactions with an app and other identifiable information and shares that data with third parties.

Premom’s failure to notify users about the company’s unauthorized disclosure of their unsecured individually identifiable health information to third parties violated the FTC’s HBNR, according to the complaint. The rule requires a vendor of personal health records to notify users, the FTC and in some cases the media, when there has been an unauthorized acquisition of unsecured individually identifiable health information.

The FTC also says Premom integrated SDKs from other third parties into the Premom app including from app analytics provider Umeng and analytics provider Jiguang and shared sensitive user data. This included Premom users’ social media account information and precise geolocation information, as well as data about their mobile devices and Wi-Fi network identifiers, which cannot be changed without buying a new device. These non-resettable identifiers can be used to identify individuals, according to the complaint.

In addition to sharing data without user consent, Premom failed to encrypt adequately the data it shared with third parties, including those in China, subjecting this data to potential interception or seizure, and did not limit how third parties could use the data, according to the complaint.

As part of the proposed order, Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR and will also be:

Permanently prohibited from sharing user personal health data with third parties for advertising.
Required to obtain user consent before sharing personal health data with third parties for other purposes.
Required to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected.
Prohibited from making future misrepresentations about Easy Healthcare’s privacy practices and required to comply with the HBNR notification requirements for any future breach of security.
Required to seek deletion of data it shared with third parties.
Required to send and post a consumer notice explaining the FTC’s allegations and the settlement.
Required to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.

As part of a related action, Easy Healthcare also has agreed to pay a total of $100,000 to Connecticut, the District of Columbia and Oregon, which worked with the FTC on this matter, for violating their respective laws.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.