FTC Issues Health Breach Notification Rule Enforcement Action Against Fertility App

May 19, 2023 - The Federal Trade Commission (FTC) alleged that Easy Healthcare Corporation, the company that operates the Premom Ovulation Tracker app, violated the Health Breach Notification Rule by failing to notify users that it had shared sensitive personal information with third parties. Premom is a free app that allows its hundreds of thousands of users to track ovulation, menstruation, and other health information.

The enforcement action marks the second case in recent months alleging a violation of the Health Breach Notification Rule, which requires companies that collect health information to alert the FTC, consumers, and in some cases the media when a personal health record data breach occurs.

As previously reported, the FTC’s recent actions suggest that the commission will continue to prioritize protecting health data in the coming months.

In the case of Premom, the FTC alleged that the app deceived users by promising that it would not share customer health information with third parties without consent.

Specifically, the FTC’s investigation found that parent company Easy Healthcare had “failed to take reasonable measures to address the privacy and data security risks created by its use of third-party automated tracking tools known as software development kits (SDKs) and shared health information for advertising purposes without obtaining consumers’ affirmative express consent.”

Premom allegedly shared highly sensitive user data about users’ sexual and reproductive health and parental and pregnancy status with AppsFlyer and Google via the implementation of each company’s software development kit.

“The FTC also says Premom integrated SDKs from other third parties into the Premom app including from app analytics provider Umeng and analytics provider Jiguang and shared sensitive user data. This included Premom users’ social media account information and precise geolocation information, as well as data about their mobile devices and Wi-Fi network identifiers, which cannot be changed without buying a new device. These non-resettable identifiers can be used to identify individuals, according to the complaint,” the FTC stated in a press release.

“In addition to sharing data without user consent, Premom failed to encrypt adequately the data it shared with third parties, including those in China, subjecting this data to potential interception or seizure, and did not limit how third parties could use the data, according to the complaint.”

To resolve this case, the Department of Justice issued a proposed order on behalf of the FTC that would prohibit Easy Healthcare from sharing personal data with third parties for advertising and would require it to obtain user consent before sharing health data for any other purpose. A judge must approve the proposed order for it to go into effect.

Additionally, Easy Healthcare will pay a $100,000 civil penalty for violating the Health Breach Notification Rule.

“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”