A well-liked fertility monitoring app shared customers’ delicate well being data with third-party advertisers with out their consent, a brand new Federal Commerce Fee grievance alleges.
The FTC’s investigation into Premom, a fertility tracking app developed by Straightforward Healthcare that enables customers to trace ovulation, intervals, and different well being data, discovered that the corporate had shared identifiable well being and site data with Google and marketing firm AppsFlyer since 2018.
Premom collected and shared information on “tons of of hundreds” of customers, together with particulars about their sexual and reproductive well being, parental and being pregnant standing, in addition to different details about an people’ bodily well being situations and standing. The app additionally shared customers’ location information together with distinctive promoting and gadget identifiers, which could possibly be utilized by different advertisers to trace customers throughout the web and different apps.
Finally it was doable for third events to affiliate fertility and being pregnant information “to a particular particular person,” the FTC mentioned in its complaint.
The FTC mentioned that this third-party information sharing repeatedly violated Straightforward Healthcare’s privateness insurance policies, which promised to share solely “non-identifiable information” with third events, in contravention of the FTC’s Well being Breach Notification Rule.
Straightforward Healthcare additionally allegedly shared customers’ delicate identifiable information with two China-based cell analytics corporations recognized for “suspect privacy practices,” based on a press release by Connecticut lawyer normal William Tong. Knowledge together with IMEI numbers — strings of numbers tied to particular person units — and exact geolocation information had been transferred to analytics companies Jiguang and Umeng between 2018 and 2020, based on the FTC.
The FTC alleges that the corporate did so realizing that Jiguang and Umeng might use this information for their very own enterprise functions or might switch the info to extra third events, and says Straightforward Healthcare solely stopped sharing this information when Google notified the app maker in 2020 that the switch of information to Umeng violated its Google Play Retailer insurance policies.
“Premom broke its guarantees and compromised shoppers’ privateness,” Samuel Levine, director of the FTC’s Bureau of Client Safety, mentioned. “We are going to vigorously implement the Well being Breach Notification Rule to defend client’s well being information from exploitation. Firms amassing this data ought to be conscious that the FTC won’t tolerate well being privateness abuses.”
As part of a proposed settlement filed by the Division of Justice, Straightforward Healthcare has agreed to pay a $100,000 civil penalty for violating the FTC’s Well being Breach Notification Rule. It has additionally agreed to pay a complete of $100,000 to the states of Connecticut and Oregon, and the District of Columbia, and, which assisted with the FTC’s investigation.
As a part of the order, Straightforward Healthcare has additionally agreed to cease sharing private well being information with third events for promoting and is required to request that the third events delete the info (although the businesses are beneath no authorized obligation to conform). Straightforward Healthcare has additionally agreed to implement new safety and privateness packages and supply common privateness and safety audits to the businesses.
Straightforward Healthcare didn’t reply to TechCrunch’s request for remark. Nevertheless, in a statement on its web site, Premom mentioned its settlement with the FTC is “not an admission of any wrongdoing.”
This marks the second time the FTC has introduced an enforcement motion in opposition to an organization for violating the Well being Breach Notification Rule. In February this yr, the agency reached a settlement with online pharmacy GoodRx for failing to confide in customers that it shared personally identifiable well being data with Fb, Google and different third events.