Fertility App Premom Sued Over Alleged Data Sharing with China

January 29, 2021 - Easy Healthcare Corp., the owner of fertility app Premom, is being sued by an app user, over claims the company shared personal data with third-party data collection firms in China -- without user consent.

Filed in the US Northern District Court of Illinois, Eastern Division, the lawsuit alleges that once users downloaded the Premom application onto Google’s Android operating system, Easy Healthcare shared users’ personal data and locations with at least three outside parties without user knowledge and consent.

The data sharing was in direct contradiction of the app’s Terms of Service and Privacy Policies, according to the lawsuit.

The lawsuit claims the app Premom routinely shared data with Jiguang, or Aurora Mobile, Umeng, and UMSNS: all three companies are Chinese-based data collections, analytics, precision marketing firms.

“This was being done in secrecy without plaintiff or other Premom app users’ knowledge and consent and in violation of [Premom]’s privacy policies,” the lawsuit claimed. “Indeed, [Premom] promises, ‘We will not share or sell your personal data to advertising platforms, data brokers, or information resellers.’”

READ MORE: OCR Updates HIPAA Resource for mHealth Apps, Cloud Computing

While the Premom app’s policies admitted that it would collect non-identifiable data from users, none of the outlined use cases established that the app would share any user data with third-party vendors. The policy also reiterated that it would only share data with users’ consent.

Despite these assertions, the user behind the lawsuit discovered Easy Healthcare was sharing her data and that of other users from the Android platform with the three Chinese entities. The data sharing lasted for three years, according to the suit.

“These three Chinese entities were formed and are located in China,” the suit argues. “These entities store all the Premom app users’ data set forth herein on servers located in China. Under Chinese law, all of this data is accessible by the People’s Republic of China, and in turn the Communist Party of China.”

“[Easy Healthcare] deceived the plaintiff and other Premom app users because, unknowing to them, it directly worked with these three Chinese entities prior to launching the Premom app,” it adds. “Prior to its launch, [Easy Healthcare] coded into the Premom app software the ability for these Chinese entities to access and take…. users’ personal information and location data.”

The lawsuit further argued that Easy Healthcare entered into the alleged exchange for monetary compensation from the three Chinese firms, misrepresenting the practice to its users: “an unfair, immoral, and unscrupulous business practice.”

READ MORE: Breach of Telehealth App Babylon Health Raises Privacy Concerns

The data in question includes persistent identifiers, such as geolocation data, device activities, user and advertiser IDs, and non-resettable device hardware identifiers. A skilled entity could combine these unchangeable identifiers with where the data was observed, which would allow the entity to reconstruct an individual’s activities.

For Premom, the app allegedly shared wi-fi media access controls (MAC), router MACs, international mobile equipment identities (IMEIs), Android advertising IDs (AAIDs), hardware IDs, and router SSIDs.

Given these practices, the lawsuit claims that now the Chinese firms and government know the exact geolocation of app users and can track users’ movements. Those entities also can access sensitive data shared with the app, including personal interests, health, religion, politics, and a host of other sensitive information.

The lawsuit claims this personal and location data is shared with the three Chinese firms when users unlock or use their device, whether the individual is using the Premom app -- or not. As such, Easy Healthcare was in direct violation of Google Play’s Developer policy, which bars this practice.

What’s more, the collected data could be used to conduct “‘ID Bridging’ capabilities... providing them an accurate permanent profile of the user, their activities, preferences, and personal details, even if the user tries to protect their privacy by changing the system-wide privacy settings.”

READ MORE: Privacy Leaders: Congress, Not ONC, Holds Onus for Health App Privacy

“Also, if any of these three Chinese entities have their data ‘hacked’ by parties with nefarious intentions, it is possible that neither [Easy Healthcare] nor the Chinese entities are under any obligation from state or federal laws to report said data violations to any Premom users,” according to the lawsuit.

“Therefore, Premom users are completely vulnerable to illegal data breaches of personal information and location data with no notice thereof or the ability to address the same,” it adds.

The lawsuit is seeking to designate the suit as class-action, attorneys’ fees, and equitable relief.

While alarming, the lawsuit’s claims are not uncommon practices. Multiple reports have found that most third-party healthcare applications, including mental health apps, routinely share user data without clear and transparent policies on the process.

What’s worse, is that many third-party health apps do not fall under HIPAA regulations, which poses a massive privacy risk.

In recent years, Congress and healthcare industry leaders have made the case for amending HIPAA or creating other legislation to better protect consumer privacy. However, legislation is slow-going. For now, the FTC is tasked with most app regulation.

Just last month, FTC reached a settlement with another app developer, Flo Health, for claims similar to those levied against Easy Healthcare.

The Flo Health settlement resolves allegations that the popular period and fertility app shared the health information of its users with outside data analytics vendors, after its policies purported that it would keep user data private.