Tech & Innovation in Healthcare

On May 17, 2023, the Federal Trade Commission (FTC) announced a proposed order to prevent an ovulation tracking app from sharing health data for advertising purposes. According to the FTC press release, the tracking app, Premom, shared personal information with third parties for advertising, as well as disclosing the users’ sensitive health data to third parties, and failed to properly notify consumers of the unauthorized disclosures, which is a Health Breach Notification Rule (HBNR) violation.

As a result of the HBNR violation, Premom’s parent company, Easy Healthcare, faces a $100,000 civil penalty and is subject to the following:

• Forbidden from sharing user health data with third parties for advertising;
• Must receive user consent prior to sharing personal health data with third parties for other reasons;
• Must retain users’ personal information for only as long as it’s needed to fulfill the purpose why the information was originally collected;
• Barred from making future representations about the company’s privacy practices and must comply with HBNR notification requirements for any breach of security in the future;
• Must contact third parties which the company shared data and seek deletion of the data;
• Must send and post a consumer notice explaining the FTC’s allegations and settlement; and
• Must deploy comprehensive security and privacy programs, which include tough consumer data protections.

Easy Healthcare must also pay a total of $100,000 to Connecticut, Washington D.C., and Oregon for violating their respective laws. The territories worked with the FTC on the case.

The FTC proposed order must be approved by federal court before it can go into effect.

In a Department of Justice-filed complaint, the FTC claimed Easy Healthcare “repeatedly and falsely promised Premom users in their privacy policies” that the company “would not share health information with third parties without users’ knowledge or consent; … to the extent Defendant collected and shared any information, it was non-identifiable data; and … the data was used only for Defendant’s own analytics or advertising.”

The FTC also claims that the app’s parent company didn’t take reasonable measures to attend to data security and privacy risks created by the company’s use of software development kits (SDKs). SDKs are third-party automated tracking tools that apps use to monitor and analyze users’ interactions with an app and shares that data with third parties.