On May 17, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against Illinois-based Easy Healthcare Corporation (“Easy Healthcare”), which operates the Premom application, for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Easy Healthcare has developed, advertised, and distributed a mobile application called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. In the complaint (“Complaint”), the FTC alleges that Easy Healthcare deceived users by disclosing users’ sensitive health data with third parties and failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Easy Healthcare from sharing user personal health data with third parties for advertising, among other requirements. As part of a related action, Easy Healthcare has agreed to pay an additional $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective laws.
The latest enforcement action against Premom follows recent FTC actions against GoodRx Holdings, Inc. for violating Section 5 of the FTC Act and the HBNR and BetterHelp, Inc. for violating Section 5 of the FTC Act, which appears to be part of a larger effort by the FTC to monitor the practices of websites, apps, and connected devices that capture consumer’s sensitive health information. The action also signals the FTC’s spotlight on companies’ use of reproductive health data, particularly in menstrual cycle and fertility applications, in the wake of the Dobbs v. Jackson Women’s Health Organization (“Dobbs”) decision.
The Complaint
According to the Complaint, the FTC alleges that, between 2017 and 2020, Easy Healthcare repeatedly and falsely promised Premom users in in its privacy policies that (1) it would not share health information with third parties without users’ knowledge or consent; (2) to the extent that the company collected and shared any information, it was non-identifiable data, and that its use of third-party analytics software identified a user solely by IP address; and (3) the company would only use such data for its own analytics or advertising. The FTC states that Easy Healthcare’s privacy policies over time promised consumers that it would notify and obtain consent from users before using its users’ data for any other purposes.
The FTC alleges that Easy Healthcare shared Premom users’ identifiable health information through “Custom App Events” to third parties. According to the Complaint, Easy Healthcare incorporated into the Premom app software development tools, known as software development kits (“SDKs”), which allowed Easy Healthcare to track and analyze Premom users’ interactions with Premom and transfer its app users’ data—including data about users’ fertility and pregnancies—to the publisher of each SDK. The Complaint states that Easy Healthcare gave these companies (including third-party marketing and analytics firms, some of which were foreign companies) broad latitude to use such data as they saw fit by agreeing to their standard terms of service.
The FTC also alleges that Easy Healthcare failed to implement reasonable privacy and data security measures, including failing to adequately assess the privacy risks of third-party SDKs that were incorporated into Premom, failing to monitor changes in the privacy policies and terms and conditions of the SDK publishers, and failing to engage in audits or compliance reviews regarding the data collection and privacy practices of third-party publishers. The FTC also found that Easy Healthcare failed to enforce compliance with their own privacy promises to consumers.
The Proposed Order
The Proposed Order states that Easy Healthcare must pay a civil penalty of $100,000 to the federal government. In addition to the civil penalty, the Proposed Order prohibits Easy Healthcare from engaging in certain practices, requires it to notify individuals as required under the HBNR, and requires it to engage in various activities designed to bolster its compliance program. Specifically, the Proposed Order includes the following prohibitions and requirements:
- Permanently prohibits Easy Healthcare from sharing users’ personal health data with third parties for advertising;
- Requires Easy Healthcare to obtain user consent before sharing personal health data with third parties for other purposes;
- Requires Easy Healthcare to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected;
- Prohibits Easy Healthcare from making future misrepresentations about its privacy practices;
- Requires Easy Healthcare to comply with the HBNR’s notification requirements for any future breach of security;
- Requires Easy Healthcare to seek deletion of data it has shared with third parties;
- Requires Easy Healthcare to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
- Requires Easy Healthcare to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.
Takeaways
As discussed in a prior client alert, the FTC issued a policy statement in September 2021 to affirm that health apps and connected devices that collect or use consumers’ health information must comply with the HBNR. In addition to the policy statement, which appears to have significantly expanded the HBNR’s scope, the FTC recently announced that it would be seeking comment on proposed changes to the HBNR that include clarifying the rule’s applicability to health apps and other similar technologies.
Moreover, the Administration and the FTC have increased scrutiny on companies that share sensitive reproductive health information in the wake of the Dobbs decision last spring reversing the constitutional right to abortion. Since the release of the Dobbs decision, the Administration has worked to bolster protections for sensitive health data related to reproductive health care through a combination of law enforcement and policy initiatives, including a previous FTC enforcement action against Flo Health Inc., the developer of a fertility tracking app, in addition to commitment from the FTC to protect consumers from companies that misuse reproductive health data.
Digital health companies and other organizations across the health care industry should take note of recent enforcement actions, evaluate whether the HBNR applies to their business, review and update policies and compliance with FTC requirement, and continue to monitor FTC enforcement actions and other developments regarding the HBNR. This is particularly important for companies that focus on women’s health.
For more information or advice regarding the applicability of the Enforcement Action to your organization, please contact the professional(s) listed below or your regular Crowell & Moring contact.