A popular fertility tracking app shared users’ sensitive health information with third-party advertisers without their consent, a new Federal Trade Commission complaint alleges.
The FTC’s investigation into Premom, a fertility tracking app developed by Easy Healthcare that allows users to track ovulation, periods and other health information, found that the company had shared identifiable health and location information with Google and marketing firm AppsFlyer since 2018.
Premom collected and shared data on “hundreds of thousands” of users, including details about their sexual and reproductive health, parental and pregnancy status, as well as other information about an individuals’ physical health conditions and status. The app also shared users’ location data along with unique advertising and device identifiers, which could be used by other advertisers to track users across the internet and other apps.
Ultimately it was possible for third parties to associate fertility and pregnancy data “to a specific individual,” the FTC said in its complaint.
The FTC said that this third-party data sharing repeatedly violated Easy Healthcare’s privacy policies, which promised to share only “non-identifiable data” with third parties, in contravention of the FTC’s Health Breach Notification Rule.
Easy Healthcare also allegedly shared users’ sensitive identifiable data with two China-based mobile analytics companies known for “suspect privacy practices,” according to a statement by Connecticut attorney general William Tong. Data including IMEI numbers — strings of numbers tied to individual devices — and precise geolocation data were transferred to analytics firms Jiguang and Umeng between 2018 and 2020, according to the FTC.
The FTC alleges that the company did so knowing that Jiguang and Umeng could use this data for their own business purposes or could transfer the data to additional third parties, and says Easy Healthcare only stopped sharing this data when Google notified the app maker in 2020 that the transfer of data to Umeng violated its Google Play Store policies.
“Premom broke its promises and compromised consumers’ privacy,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
As a part of a proposed settlement filed by the Department of Justice, Easy Healthcare has agreed to pay a $100,000 civil penalty for violating the FTC’s Health Breach Notification Rule. It has also agreed to pay a total of $100,000 to the states of Connecticut and Oregon, and the District of Columbia, which assisted with the FTC’s investigation.
As part of the order, Easy Healthcare has also agreed to stop sharing personal health data with third parties for advertising and is required to request that the third parties delete the data (though the companies are under no legal obligation to comply). Easy Healthcare has also agreed to implement new security and privacy programs and provide regular privacy and security audits to the agencies.
Easy Healthcare didn’t respond to TechCrunch’s request for comment. However, in a statement on its website, Premom said its agreement with the FTC is “not an admission of any wrongdoing.”
This marks the second time the FTC has brought an enforcement action against a company for violating the Health Breach Notification Rule. In February this year, the agency reached a settlement with online pharmacy GoodRx for failing to disclose to users that it shared personally identifiable health information with Facebook, Google and other third parties.