FTC to Fine Easy Healthcare $100K For Data Breaches Connected to Premom App

Justice Dept., Connecticut, Oregon and D.C. Attorneys General Also Take Action

 

By: RON SHINKMAN

The U.S. Federal Trade Commission (FTC) on May 17 proposed fining the maker of the Premom smartphone app $100,000. It is also working with the U.S. Department of Justice to obtain curbs on how it manages the highly sensitive information provided by users. Attorneys specializing in healthcare and privacy law say other reproductive health companies may soon find themselves the target of similar actions.

Premom, which was created by the Chicago-area firm Easy Healthcare, helps users get pregnant by charting their ovulation cycles. Pregnant users can also use the app to chart their pregnancies. It has been downloaded more than 1 million times by Android users, and has been reviewed more than 19,000 times by iPhone and iPad users.

The FTC also said that data gathered by the Premom app was illegally shared with third parties, among them two Chinese companies. According to a complaint the Justice Department filed against Easy Healthcare in federal court in Illinois on May 17, the companies are Umeng, a mobile app analytics firm owned by the e-commerce firm Alibaba, and Jiguang, a mobile development and data analytics company that goes by the name Aurora Mobile Ltd.

Premom also disclosed sensitive medical data to both Google and a company called AppsFlyer, which engages in data analytics. The Justice Department complaint describes the data that was shared as “identifiable health information,” a term for medical data that can be used to identify a specific individual. Such data includes names, addresses and dates of birth, among others.

Easy Healthcare, the Illinois-based firm that operates Premom, also failed to notify consumers of such disclosures, an alleged violation of the federal Health Breach Notification Rule.

“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, in a statement. “We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation.” 

In conjunction with the Justice Department, the FTC has also proposed that Easy Healthcare be barred from sharing users’ personal health data for advertising or marketing purposes, obtain their consent before sharing that data for any other purpose, and must also tell consumers how their personal data is being used. Although a federal judge is required to approve this order, a recent court filing states that Easy Healthcare is not contesting any of the proposed actions.

Michelle Merola, a partner with the New York-based law firm of Hodgson Russ and a former U.S. Assistant Attorney in Washington, D.C., called the FTC/Justice Department action a “shot over the bow to developers and vendors of health apps,” and that similar steps against other app makers will be forthcoming.

Cynthia Khoo, a senior associate at the Center on Privacy and Technology at the Georgetown University school of law, agreed that enforcement is being ratcheted up.

“The FTC has become overwhelmingly cognizant of the harms of not just privacy…but the social, psychological and economic harms of technology companies engaging in these types of privacy practices,” she said.

Andrea Frey, San Francisco-based senior counsel and co-chair of the digital health practice of the law firm Hooper Lundy Bookman, added that regulators have a target-rich environment for enforcement.

“My guess is that there are certainly a lot of companies (that are) intentionally or unintentionally, gathering information through tracking technologies that are potentially in violation of FTC or HIPAA rules,” she said.

Khoo said that last year’s decision by the U.S. Supreme Court to strike down Roe v. Wade has made the feds and some state attorneys general particularly sensitive to the legal risks posed by not protecting personal information regarding the ovulation and pregnancy cycles of individual women. That has been further compounded by the growth of healthcare apps in recent years and gaps in the Health Insurance Portability and Accountability Act (HIPAA) that do not completely cover businesses that work with consumers but not with healthcare providers.

Khoo noted that the federal health breach notification rule – which requires companies managing breaches of healthcare information impacting 500 or more individuals report the incident to the general public – has been on the books for 14 years. However, it has only been used twice to punish violators – both times in 2023.

“This suggests to me that they are willing to use it again going forward,” Khoo said. She added that was further reinforced by the FTC recently introducing new guidelines for how businesses collect and manage biometric data.

In addition to the federal fine, Premom’s parent company, Illinois-based Easy Healthcare, has also agreed to pay an additional $100,000 in fines to attorneys general in Connecticut, Oregon and the District of Columbia for state-level violations.

“District residents who used the Premom app were entitled to have their locations and devices kept confidential, but Easy Healthcare shared that private information with third parties without notice or consent, putting users at risk,” said D.C. Attorney General Brian Schwalb in a statement.

In a statement issued in mid-May, Easy Healthcare said “our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to put this matter behind us and focus on you, our users. Rest assured that we do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes.” Easy Healthcare’s statement ended with a pitch for a new line of supplements for those trying to conceive and an upcoming line of prenatal vitamins; a segue Merola and Khoo said was extremely odd for a company responding to a federal regulatory action.

“Odds are that the FTC takes issue with Easy Healthcare’s response and that it is removed from the website before the settlement is finalized,” Merola said.

An Easy Healthcare spokesperson would only refer back to the posted statement when asked to comment about the specifics of the settlement and the product pitches.

The themes reported in this publication are those of the news. They do not reflect the views of Inside Reproductive Health.

 
 

All external links active as of 6/1/23.

External links are being provided as a convenience and for informational purposes only; they do not constitute an endorsement or an approval by Fertility Bridge or Inside Reproductive Health of any of the products, services or opinions of the corporation or organization or individual. Neither Fertility Bridge nor Inside Reproductive Health bears responsibility for the accuracy, legality or content of the external site or for that of subsequent links. Contact the external site for answers to questions regarding its content.