The company behind fertility app Premom has entered into a settlement with the Federal Trade Commission and attorneys general in Connecticut, D.C. and Oregon for allegedly sharing sensitive user information with third parties without receiving consent.
Premom allegedly shared user identifiers — strings of numbers tied to individual devices — along with sensitive information such as locations with two China-based companies known for “suspect privacy practices,” a statement from the office of D.C.’s attorney general said Wednesday.
Premom’s owner, Easy Healthcare, has agreed to stop sharing the data and pay a settlement fee of $200,000 in total to attorneys general in D.C., Connecticut and Oregon as well as the FTC. Easy Healthcare denied the allegations and any wrongdoing, according to the settlement. The company couldn’t immediately be reached for separate comment.
“District residents who used the Premom app were entitled to have their locations and devices kept confidential, but Easy Healthcare shared that private information with third parties without notice or consent, putting users at risk,” said D.C. Attorney General Brian L. Schwalb. “Now more than ever, with reproductive rights under attack across the country, it is essential that the privacy of healthcare decisions is vigorously protected. My office will continue to make sure companies protect consumers’ personal information to protect against unlawful encroachment on access to effective reproductive healthcare.”
Schwalb’s office cooperated with the FTC and the attorneys general of Oregon and Connecticut in its investigation.
This comes in a string of federal actions against digital health companies, which could mark shifting tides for an industry that until now has seen little oversight. The FTC called out digital prescription app GoodRx in February, proposing a ban on the app sharing users’ health data for advertising. And in March, mental health app BetterHelp settled with the FTC after allegedly sharing information about users’ mental health concerns with outside companies including Facebook and Snapchat. Both GoodRx and BetterHelp said at the time that the practices in question were common for the industry.
The settlements came after The Washington Post discovered in a 2022 investigation that many popular digital health apps — including Drugs.com and WebMD — share user identifiers along with health concerns such as depression and HIV. And the U.S. health privacy law, the Health Insurance Portability and Accountability Act (HIPAA), doesn’t protect consumers from this sort of data sharing. A February study from Duke University’s Sanford School of Public Policy found data companies selling information on people’s antidepressant use, insomnia, attention deficits, Alzheimer’s disease and incontinence.
“There is a constellation of companies engaged in what I call digital pharmaceutical marketing, using machine learning, artificial intelligence and access to data brokers to identify the conditions that you, your family members, even your children have,” said Jeffrey Chester, executive director of the digital rights advocacy group Center for Digital Democracy.
People should be concerned about health apps sharing potentially sensitive data because that information could fuel predatory health marketing or discrimination, Chester said. The overturn of Roe v. Wade, which protected the right to abortion nationwide, brought a fresh wave of concerns about health privacy. Apps collect and store everything from our menstrual cycles to our daily movements, abortion advocates warned, and that information can be helpful to state governments prosecuting people who seek abortions.
The government’s approach in its actions against apps including Premom will have ripple effects for the entire industry, said Pam Dixon, founder and executive director of the World Privacy Forum. In its settlement with Premom, the attorneys general said the app’s nonconsensual disclosure of user data ran afoul of rules against “unfair and deceptive practices.” In the FTC case against GoodRx, it said the app was unfair and deceptive and violated the Health Breach Notification Rule by sharing user data without proper consent and misrepresenting the HIPAA compliance. Both actions put pressure on other health apps to properly disclose their data-sharing and avoid misrepresenting their HIPAA compliance, Dixon said.
How far federal and state governments will go to rein in risky data-sharing remains to be seen. For now, avoid sharing sensitive health information with apps and browsers whenever possible. Choose apps that store your data on your device, rather than the cloud, and opt for a privacy browser such as Safari or DuckDuckGo.