Application security, Privacy, Compliance Management

FTC says fertility app Premom shared user health data with third parties

Oral contraceptive pills

Premom “deceived users” by sharing their personal and health data with third parties, including two firms based in China,” according to a new Federal Trade Commission enforcement action against the fertility app.

If approved, the app’s parent company will pay a $100,000 civil penalty for violating the FTC’s Health Breach Notification Rule.

The proposed enforcement action would also require the company to inform the third parties they must delete the data shared by the app, in addition to notifying users of the unauthorized disclosures and detailing the FTC action. Easy Healthcare would also need to implement a comprehensive security and privacy program, including strong consumer data protections.

“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation.” 

“Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses,” he added.

Premom is accused of disclosing the health data of its users to AppsFlyer and Google without notifying consumers of the unauthorized disclosures.

The app is free to download and has hundreds of thousands of users who use Premom to track ovulation, periods, and other health data. Premom also urges users to provide details on their menstrual cycles, fertility, and pregnancy and to import data from other health apps.

By sharing information with third parties, the data revealed “highly sensitive and private details” about its users, causing the unauthorized disclosure of users’ sexual and reproductive health, parental and pregnancy status, as well as other information about physical health conditions and status, according to the FTC complaint.

As SC Media previously reported, this type of data is highly vulnerable in the wake of the Supreme Court’s repeal of Roe v. Wade, which generally protected the right to an abortion. The shift in abortion rights saw privacy advocates and congressional Democrats sounding the alarm on healthcare privacy and security risks, concerned the data could be used by prosecutors to identify people seeking to obtain abortions. 

The unauthorized disclosures were tied to Premom’s use of software development kits built by third parties into the app, including an SDK from app analytics provider Umeng and analytics provider Jiguang, which resulted in the disclosure of sensitive user data. The shared data included social media account details, precise geolocation information and mobile device data. 

The FTC argues “these non-resettable identifiers can be used to identify individuals.” In addition to the privacy violations, Premom is accused of failing to adequately encrypt the data shared with third parties, which could have led to interception or seizure. The company also failed to limit how these third parties could use the data.

A proposed order filed by the Department of Justice would stop this practice and ban Premom’s parent company, Easy Healthcare, from sharing users’ personal health data with third parties for advertising purposes. The company would also be required to obtain consent before sharing health data for any other purpose and tell its users how their personal data will be used.

Easy Healthcare would also be required to retain user data “for only as long as necessary to fulfill the purpose for which it was collected” and “permanently prohibit the company from making future misrepresentations about its privacy practices.”

FTC going after app developers to protect consumer data

The charges mark the second action taken under the health breach notification rule. The $1.5 million settlement with GoodRx in February sent a warning shot to app developers that the agency would be using its legal authority to protect consumers’ sensitive data from exploitation. A separate action against BetterHelp in March targeted unfair practices and privacy failures.

Before this year, the FTC did not wield its authority to tackle possible health data privacy violations not covered by The Health Insurance Portability and Accountability Act under the — though the breach notification rule has long given the agency the power to do so.

That changed in September 2021 when FTC voted to begin scrutinizing companies not covered by HIPAA due to the surge in health apps and digital health tech targeting consumer use during the COVID-19 pandemic. At the time, FTC Chair Lina Khan said “digital apps are routinely caught playing fast and loose with user data, leaving users’ information susceptible to hacks and breaches.

The DOJ complaint shows similar allegations against Easy Healthcare: that the company “repeatedly and deceptively promised users in its privacy policies that it would not share their health information with third parties without users’ consent and that any data it did collect was non-identifiable and only used for its own analytics or advertising.”

Easy Healthcare is also accused of failing to take reasonable measures to address privacy and security risks created by the use of third-party automated tracking tools, which allegedly led to users’ health data being shared for advertising purposes without “affirmative express consent,” according to the FTC.

The order will not go into effect until it’s approved by a federal court.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.