A popular fertility tracking app shared users’ sensitive health information with third-party advertisers without their consent, a new Federal Trade Commission complaint alleges.
The FTC’s investigation into Premom, a fertility tracking app developed by Easy Healthcare that allows users to track ovulation, periods and other health information, found that since 2018 the company had shared identifiable health and location information with Google and marketing company AppsFlyer.
Premom collected and shared data on “hundreds of thousands” of users, including details about their sexual and reproductive health, parental and pregnancy status, as well as other information about an individual’s physical health and status. The app also shared users’ location data, along with unique ads and device identifiers, which could be used by other advertisers to track users across the web and other apps.
Finally, it was possible for third parties to associate fertility and pregnancy data “to a specific individual,” the FTC said in his complaint.
The FTC said data sharing by third parties repeatedly violated Easy Healthcare’s privacy policy, which pledged to share only “non-identifiable data” with third parties, in violation of the FTC’s Health Breach Notification Rule.
Easy Healthcare also reportedly shared sensitive, identifiable user data with two China-based mobile analytics companies known for “suspicious privacy practicessaid a statement from Connecticut Attorney General William Tong. Between 2018 and 2020, data including IMEI numbers — sequences of numbers associated with individual devices — and precise geolocation data were transferred to analytics firms Jiguang and Umeng between 2018 and 2020, according to the FTC.
The FTC claims the company did this knowing that Jiguang and Umeng could use this data for their own business purposes or transfer the data to additional third parties, saying that Easy Healthcare only stopped sharing this data when Google notified the app maker in 2020 that the transfer of data to Umeng violated Google Play Store policies.
“Premom broke its promises and compromised consumer privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to protect consumer health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate violations of health privacy.”
As part of a proposed settlement filed by the Justice Department, Easy Healthcare has agreed to pay a $100,000 civil penalty for violating the FTC’s Health Breach Notification Rule. It also agreed to pay a total of $100,000 to the states of Connecticut and Oregon, and the District of Columbia, to assist in the FTC’s investigation.
As part of the order, Easy Healthcare has also agreed to stop sharing personal health data with third parties for advertising and is required to request that third parties delete the data (although the companies are not legally required to comply) . Easy Healthcare has also agreed to implement new security and privacy programs and conduct regular privacy and security audits at the agencies.
Easy Healthcare did not respond to TechCrunch’s request for comment. However in one rack on his website, Premom said his agreement with the FTC is “no admission of any wrongdoing.”
This is the second time the FTC has filed an enforcement action against a company for violating the Health Breach Notification Rule. In February of this year, the agency reached a settlement with online pharmacy GoodRx for failing to disclose to users that it had shared personally identifiable health information with Facebook, Google and other third parties.
