On May 17, 2023, the Federal Trade Commission (“FTC”) announced an enforcement action (“Enforcement Action”) against Illinois-based Easy Healthcare Corporation (“Easy Healthcare”), which operates the Premom application, for allegedly violating Section 5 of the FTC Act and the Health Breach Notification Rule (“HBNR”). Easy Healthcare has developed, advertised, and distributed a mobile application called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. In the complaint (“Complaint”), the FTC alleges that Easy Healthcare deceived users by disclosing users’ sensitive health data with third parties and failed to notify consumers of these unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was brought by the U.S. Department of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Easy Healthcare from sharing user personal health data with third parties for advertising, among other requirements. As part of a related action, Easy Healthcare has agreed to pay an additional $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective laws.

The latest enforcement action against Premom follows recent FTC actions against GoodRx Holdings, Inc. for violating Section 5 of the FTC Act and the HBNR and BetterHelp, Inc. for violating Section 5 of the FTC Act, which appears to be part of a larger effort by the FTC to monitor the practices of websites, apps, and connected devices that capture consumer’s sensitive health information. The action also signals the FTC’s spotlight on companies’ use of reproductive health data, particularly in menstrual cycle and fertility applications, in the wake of the Dobbs v. Jackson Women’s Health Organization (“Dobbs”) decision.

The Complaint

According to the Complaint, the FTC alleges that, between 2017 and 2020, Easy Healthcare repeatedly and falsely promised Premom users in in its privacy policies that (1) it would not share health information with third parties without users’ knowledge or consent; (2) to the extent that the company collected and shared any information, it was non-identifiable data, and that its use of third-party analytics software identified a user solely by IP address; and (3) the company would only use such data for its own analytics or advertising. The FTC states that Easy Healthcare’s privacy policies over time promised consumers that it would notify and obtain consent from users before using its users’ data for any other purposes.

The FTC alleges that Easy Healthcare shared Premom users’ identifiable health information through “Custom App Events” to third parties. According to the Complaint, Easy Healthcare incorporated into the Premom app software development tools, known as software development kits (“SDKs”),  which allowed Easy Healthcare to track and analyze Premom users’ interactions with Premom and transfer its app users’ data—including data about users’ fertility and pregnancies—to the publisher of each SDK. The Complaint states that Easy Healthcare gave these companies (including third-party marketing and analytics firms, some of which were foreign companies) broad latitude to use such data as they saw fit by agreeing to their standard terms of service.

The FTC also alleges that Easy Healthcare failed to implement reasonable privacy and data security measures, including failing to adequately assess the privacy risks of third-party SDKs that were incorporated into Premom, failing to monitor changes in the privacy policies and terms and conditions of the SDK publishers, and failing to engage in audits or compliance reviews regarding the data collection and privacy practices of third-party publishers. The FTC also found that Easy Healthcare failed to enforce compliance with their own privacy promises to consumers.

The Proposed Order

The Proposed Order states that Easy Healthcare must pay a civil penalty of $100,000 to the federal government. In addition to the civil penalty, the Proposed Order prohibits Easy Healthcare from engaging in certain practices, requires it to notify individuals as required under the HBNR, and requires it to engage in various activities designed to bolster its compliance program. Specifically, the Proposed Order includes the following prohibitions and requirements:

  • Permanently prohibits Easy Healthcare from sharing users’ personal health data with third parties for advertising;
  • Requires Easy Healthcare to obtain user consent before sharing personal health data with third parties for other purposes;
  • Requires Easy Healthcare to retain users’ personal information for only as long as necessary to fulfill the purpose for which it was collected;
  • Prohibits Easy Healthcare from making future misrepresentations about its privacy practices;
  • Requires Easy Healthcare to comply with the HBNR’s notification requirements for any future breach of security;
  • Requires Easy Healthcare to seek deletion of data it has shared with third parties;
  • Requires Easy Healthcare to send and post a consumer notice explaining the FTC’s allegations and the settlement; and
  • Requires Easy Healthcare to implement comprehensive security and privacy programs that include strong safeguards to protect consumer data.

Takeaways

As discussed in a prior client alert, the FTC issued a policy statement in September 2021 to affirm that health apps and connected devices that collect or use consumers’ health information must comply with the HBNR. In addition to the policy statement, which appears to have significantly expanded the HBNR’s scope, the FTC recently announced that it would be seeking comment on proposed changes to the HBNR that include clarifying the rule’s applicability to health apps and other similar technologies.

Moreover, the Administration and the FTC have increased scrutiny on companies that share sensitive reproductive health information in the wake of the Dobbs decision last spring reversing the constitutional right to abortion. Since the release of the Dobbs decision, the Administration has worked to bolster protections for sensitive health data related to reproductive health care through a combination of law enforcement and policy initiatives, including a previous FTC enforcement action against Flo Health Inc., the developer of a fertility tracking app, in addition to commitment from the FTC to protect consumers from companies that misuse reproductive health data.

Digital health companies and other organizations across the health care industry should take note of recent enforcement actions, evaluate whether the HBNR applies to their business, review and update policies and compliance with FTC requirement, and continue to monitor FTC enforcement actions and other developments regarding the HBNR. This is particularly important for companies that focus on women’s health.

For more information or advice regarding the applicability of the Enforcement Action to your organization, please contact the professional(s) listed below or your regular Crowell & Moring contact.


Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Jodi G. Daniel Jodi G. Daniel

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She…

Jodi Daniel is a partner in Crowell & Moring’s Health Care Group and a member of the group’s Steering Committee. She is also a director at C&M International (CMI), an international policy and regulatory affairs consulting firm affiliated with Crowell & Moring. She leads the firm’s Digital Health Practice and provides strategic, legal, and policy advice to all types of health care and technology clients navigating the dynamic regulatory environment related to technology in the health care sector to help them achieve their business goals. Jodi is a contributor to the Uniform Law Commission Telehealth Committee, which drafts and proposes uniform state laws related to telehealth services, including the definition of telehealth, formation of the doctor-patient relationship via telehealth, creation of a registry for out-of-state physicians, insurance coverage and payment parity, and administrative barriers to entity formation.

Photo of Brandon C. Ge Brandon C. Ge

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards.

Brandon C. Ge is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Privacy and Cybersecurity and Health Care groups.

Brandon advises clients on a wide range of privacy and cybersecurity laws, regulations, and standards. His practice has a particular focus on advising clients – from start-up digital health companies to large health plans – on all aspects of compliance with the Health Insurance Portability and Accountability Act (HIPAA). Brandon regularly assists clients with responding to security incidents and has successfully represented clients in Office for Civil Rights investigations.

Photo of Allison Kwon Allison Kwon

Allison Kwon supports Crowell Health Solutions, a strategic consulting firm affiliated with Crowell & Moring, to help clients pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based health…

Allison Kwon supports Crowell Health Solutions, a strategic consulting firm affiliated with Crowell & Moring, to help clients pursue and deliver innovative alternatives to the traditional approaches of providing and paying for health care, including through digital health, health equity, and value-based health care. She is a health care policy consultant in the Washington, D.C. office.