Makers of the popular fertility tracking app Premom repeatedly deceived users by sharing sensitive information that included health data to third parties without users’ permission, a new Federal Trade Commission complaint alleges.
The agency’s investigation found that Easy Healthcare, which developed the app, violated its direct promises to users by improperly disclosing sensitive data indicating sexual and reproductive health information, including pregnancy status, to the marketing firm AppsFlyer and Google. As far back as 2018, the third parties received data on “Custom App Events” with labels that conveyed sensitive health information, according to a Justice Department complaint. For instance, the third party could see the event “Log period-save” when a user logged information about their period. he FTC alleges that the disclosures repeatedly violated the company’s promises to users that it would not share any identifiable or health data.
Between 2018 and 2020 the developers also shared sensitive data such as precise geolocation data tied to a non-resettable mobile device identifier with two Chinese-advertising firms without user permission, according to the complaint. The findings were the focus of a joint investigation by the attorneys general of Washington, D.C,, Oregon, and Connecticut, which coordinated with the FTC.
The complaint comes as both state attorneys general and the FTC have ramped up warnings against firms sharing sensitive reproductive health information in the wake of the Dobbs decision last spring reversing the constitutional right to abortion. State attorneys general have issued warnings to consumers against sharing sensitive reproductive health information that could be used against them in criminal investigations.
The complaint about sharing sexual and reproductive health data goes beyond initial concerns raised about the company in 2020 after The Washington Post reported findings that the company’s Android app collected user device data and shared it with three Chinese advertising companies without user permission. Premom said that it stopped data sharing, first detected by researchers at the International Digital Accountability Council, after the Washington Post contacted the company and Google Play, which temporarily removed the app for violating its policies. Members of Congress at the time called on the FTC to investigate the privacy concerns.
Both researchers and the FTC investigation concluded that Premom failed to adequately encrypt data it shared with third parties, including the Chinese advertisers, leaving it susceptible to interception.
As a part of the proposed settlement filed by the Justice Department on Wednesday, Easy Healthcare has agreed to pay a $100,000 civil penalty for violating the FTC’s Health Breach Notification Rule. As part of the order, Easy Healthcare will agree to refrain from sharing personal health data with third parties for advertising. Easy Healthcare has agreed to implement new security and privacy programs and provide regular privacy and security audits to the agencies.
The FTC investigation was launched in coordination with the attorneys general of Washington, D.C., Connecticut and Oregon. Easy Healthcare will also pay a total of $100,000 to the states.
“District residents who used the Premom app were entitled to have their locations and devices kept confidential, but Easy Healthcare shared that private information with third parties without notice or consent, putting users at risk,” said D.C. Attorney General Brian Schwalb. “Now more than ever, with reproductive rights under attack across the country, it is essential that the privacy of healthcare decisions is vigorously protected.”
Easy Healthcare denied any wrongdoing in its settlement with the District of Columbia. CyberScoop has reached out for comment.
This is the second time the agency has brought an enforcement action against a company for violating the Health Breach Notification Rule. Earlier this year, it reached a settlement with telehealth and prescription drug discount company GoodRx for failing to disclose to users that it shared personally identifiable health information to Facebook, Google and other third parties. The agency is expected to issue a notice of proposed rulemaking to amend the Health Breach Notification Rule at a meeting Thursday.