Governance & Risk Management
,
Privacy
,
Standards, Regulations & Compliance
Case is FTC’s 2nd Enforcement of Health Data Breach Notification Rule
The developer of fertility logging app Premom agreed it shouldn’t share user information with advertisers under an agreement with the U.S. Federal Trade Commission. App maker Easy Healthcare must also pay $100,000 and ask the advertising and analytics companies that received user information to delete the data.
See Also: OnDemand | Attack Surface Management 2.0: Leveraging Vulnerability Analytics & Threat Intelligence
Recipients of the app’s data – which allow women to track periods and ovulation cycles – include U.S. companies Google, AppsFlyer and Chinese companies Jiguang and Umeng, which is owned by Hangzhou-based tech conglomerate Alibaba. Premom offers users a pregnancy guarantee that promises to refund costs if they do not successfully conceive within nine months.
The order comes from litigation filed in Chicago federal court and must be approved by the court. A statement on the company website characterized the settlement as an avoidance of “time and expense of litigation.”*
“We do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes,” the company said.
The complaint charges Easy Healthcare with misleading the hundreds of thousands of women who downloaded the app by falsely asserting between 2017 and 2020 that it would not share user data with advertisers.
Instead, the company shared users’ identifiable health information with third parties in 2018. It stopped sharing with Jiguang and Umeng in the summer of 2020 after the Google Play store informed Easy Healthcare that the data transfers violated app store policies.
The FTC invoked the Health Breach Notification Rule in the complaint as basis for asserting that Easy Healthcare committed violations.
The FTC in 2021 expanded its interpretation of the breach notification rule to include incidents of unauthorized access, not just data breaches that were the result of cybersecurity incidents. It also said personal health records covered by the notification rule include apps capable of drawing information from multiple sources.
“Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses,” said Samuel Levine, director of the FTC’s bureau of consumer protection.
The lawsuit is the second time the agency invoked its expanded interpretation of the Health Breach Notification Rule, the first being a February settlement with discount drug provider GoodRx Holdings (see: FTC Hits Firm with $.15M Fine in Health Data Sharing Case).
Easy Healthcare also faces at least one proposed class action lawsuit tied to data sharing (see: Lawsuit: App Maker Shared Health Data with Chinese Firms).
*Update May 17, 2023 20:50 UTC: Adds response from Easy Healthcare.