The Federal Trade Commission announced charges against a fertility software application for sharing sensitive user data to third party hosting platforms without informing users.
Ovulation tracking app Premom allegedly violated its own privacy policies by sharing user health data with companies, including Google and AppsFlyer, along with foreign analytics companies Jiguang and Umeng, according to a complaint filed by the Department of Justice in Illinois.
The data breach is a violation of the FTC’s Health Breach Notification Rule that stipulates a covered entity must disclose leaks of unsecured data to consumers.
“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
Data from Premom users was allegedly shared over the course of May 2017 to July 2020, despite stating in its privacy policies that users’ health information would not be shared with third parties. Some of its services requested GPS data disclosure from users while continually maintaining that Premom, and its parent company Easy Healthcare, wouldn’t share user information outside of the app.
The complaint alleges that the collection and sharing of this data with third party tracking tools called software development kits—despite the company stating otherwise in its privacy policies—amounted to misleading consumers.
“Premom failed to fully disclose its data sharing practices, and also violated direct promises to users,” the FTC press release said. “The data it shared with third parties revealed highly sensitive and private details about Premom’s users and led to the unauthorized disclosure of facts about an individual user’s sexual and reproductive health, parental and pregnancy status, as well as other information about physical health conditions and status.”
Premom and Easy Healthcare have been ordered to pay a $100,000 civil penalty fine for violating the HBNR.
In response to the FTC’s findings, Premom clarified that its agreement with the FTC to pay the fine is not an admission of wrongdoing, but a settlement to avoid potentially lengthy and costly legal proceedings.
“Rest assured that we do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes,” the company stated. “Protecting users’ data is a high priority, which is why we have always been transparent with and cooperated fully throughout the FTC’s review of our privacy program.”
The security of reproductive data has come under significant scrutiny following the Supreme Court overturning of landmark abortion access case Roe v. Wade. Leaders from the Department of Health and Human Services previously said “all options are on the table” in regards to using new and existing legal tools to protect reproductive data from law enforcement.
Shortly after the initial overturning, President Joe Biden signed an executive order specifically protecting health, GPS and location data about women who may be seeking reproductive care from law enforcement in states with restrictive abortion laws.
Silicon Valley behemoths also appeared to take more protective measures on user data. In early July, Google committed to safeguarding data passing through its myriad software applications, including its search engine and Google Fit systems.
7 total views, 2 views today