Application security, Privacy, Industry Regulations

Flo Health faces class-action for data-sharing practices with Facebook, Google

A woman holds prescription contraceptives June 13, 2001, in Seattle. (Tim Matsui/Getty Images)

Multiple users of the Flo Health app joined a lawsuit against the fertility and period-tracking app developer, alleging the platform shares sensitive health information with third parties, including Google and Facebook, without the users’ consent. Facebook, Google, AppsFlyer, and Flurry are also named as defendants.

The Flo app provides women’s health assistance and advice through ovulation calendars, a pregnancy guide, and period, wellness, and lifestyle trackers, with more than 38 million monthly active users. The developer just this week announced it landed $50 million in digital health funding for hiring and R&D purposes.

An initial lawsuit was filed against Flo Health by its users on Jan. 29, 2021. Filed in the U.S. District Court of Northern California, the newest suit consolidates a number of separate filings made throughout the year into one class-action.

According to the complaint, users are required to input personally identifiable information into the app, including names, contact details, dates of birth, and intimate health information, including menstruation cycles, sexual and gynecological health, and physical well-being gathered through a host of survey questions.

Although the app purported that the information would not be disclosed or used by third parties, it routinely shared users’ intimate details with the aforementioned third parties. The disclosures allegedly occurred despite Flo Health’s privacy practices, which repeatedly assured users the data would remain private.

In one instance, Facebook’s software development kit (SDK) can be incorporated into an app and is designed to share user data between the platform and the social media app. The Flo Health platform uses the SDK, which the suit argues enables developers to gain access to Facebook’s data analytics and other tools to create mobile ads and other tasks.

The lawsuit purports that Flo Health incorporated the SDK “so that it could use Facebook’s analytics tools to identify which of its users would be prime targets for advertisements keyed off the data they entered into the app,” the use of which enabled the app to transmit intimate health data entered by users, in contradiction to Flo Health’s privacy practices.

Interestingly, Zoom came under fire early last year for also leveraging the Facebook SDK that routinely shares data with the social media platform, a move which prompted the video conferencing giant to remove the SDK and apologize to users.

In the case of Flo Health, AppsFlyer and Flurry, two major digital advertisers, then incorporated the shared user data into their existing analytics and research segments to create advertisement profiles for Flo Health users.

“When these companies gain access to the intimate data users shared here, they are able to capitalize on an especially sensitive class of information and use [it] for their own benefit, including targeting women with ads in ways that are acutely invasive,” the lawsuit argues.

The lawsuit also shows the more recent iterations of the Flo Health app appear to have removed some of the SDKs in question, which were attributed to a Jan. 13, 2020, settlement between the app developer and the Federal Trade Commission over similar allegations: the app developer was accused of misleading more than 100 million consumers about its health disclosure practices.

The FTC settlement showed the app’s privacy practices promised users their health data would remain private, but Flo Health routinely shared data with third parties for marketing and analytics services. FTC’s core arguments mirrored those outlined in the lawsuit: the app did not limit how vendors could use the highly sensitive health information the Flo Health routinely shared with third parties.

The questionable practices continued until a 2019 Wall Street Journal report revealed Flo Health’s data disclosures to the public.

In addition to the data sharing, the FTC alleged Flo Health violated the EU-US Privacy Shield and Swiss-US Privacy Shield frameworks. The FTC commission unanimously agreed to the proposed administrative complaint and consent agreement.

As part of the FTC settlement, Flo Health is banned from misrepresenting the reasons for the collection, maintenance, use, and disclosure of users’ data, as well as how much of these processes consumers can control and its compliance with privacy and security programs. Flo was also required to notify the impacted users about the previous disclosures of health information, in addition to instructing the third parties to destroy any user data it received from the app prior to the settlement.

However, the newest lawsuit argues that some connections between the defendants named in the suit remained and argues Flo Health failed to obtain user consent.

Users began filing lawsuits soon after the FTC announced the settlement with Flo Health. A similar lawsuit was filed against another fertility app around the same time period. Easy Health Care, which owns the app PreMom, was sued for routinely sharing user data with third-party data collection firms in China without user consent.

And much like the claims against Flo Health, the data disclosures directly contradicted PreMom app’s terms of service and privacy policies.

Regulation gaps spur ongoing privacy issues with mHealth apps

The lawsuits and the Flo Health settlement last year led to calls from congressional members for an FTC crackdown on mobile health apps that share personal health information with third parties without user consent. The FTC's Health Breach Notification Rule authorizes FTC to address privacy issues tied to personal health records, including many menstruation-tracking mobile apps. 

The rule requires personal health record vendors to notify the FTC of compromises, as well as the media in the event of a large breach. The FTC authority is crucial in this space as mobile health apps aren’t regulated by The Health Insurance Portability and Accountability Act, unless a provider makes a recommendation for its use or the app is developed by a health care delivery organization. 

But stakeholders have noted there are limits. Before the national health emergency in 2020, health app privacy and security became a major congressional focus after a number of reports outlined the dubious data-sharing practices of a vast majority of health apps.

Multiple reports showed some of the most popular mHealth and mental health apps routinely share user data with third parties without consent or transparency around the practices. Stakeholders have noted many of these issues occur as they're not regulated by HIPAA. Many consumer health apps are also riddled with privacy gaps and concerns.

In fact, the most popular mHealth apps are vulnerable to API attacks due to the use of hard-coded API keys and other security oversights. A previous report from Alissa Knight, a cybersecurity analyst and partner at Knight Ink, estimated that at least 23 million mHealth users have been exposed due to these issues.

But without congressional action, the issues are likely to remain until the foreseeable future. A scathing letter to vendors opposing the recently enacted interoperability and info blocking rules showed Congress bears the onus for securing health app privacy, not the Department of Health and Human Services Office of the National Coordinator.

“ONC’s authority is limited to EHRs and related domains,” according to the Health Affairs letter. “The ONC does have authority to require technical upgrades to EHRs that implement consumers’ right to access their health data in a usable, computable format, but not to regulate consumer apps. Congress has the authority to improve consumer privacy protections and is well aware of the problem.”

For now, consumers must rely on the private right of action through similar lawsuits or avoid sharing crucial data with apps that fail to provide transparency around data disclosures.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.