A preferred fertility monitoring app shared customers’ delicate well being info with third-party advertisers with out their consent, a brand new Federal Commerce Fee criticism alleges.
The FTC’s investigation into Premom, a fertility monitoring app developed by Straightforward Healthcare that enables customers to trace ovulation, durations, and different well being info, discovered that the corporate had shared identifiable well being and placement info with Google and advertising agency AppsFlyer since 2018.
Premom collected and shared information on “lots of of 1000’s” of customers, together with particulars about their sexual and reproductive well being, parental and being pregnant standing, in addition to different details about an people’ bodily well being circumstances and standing. The app additionally shared customers’ location information together with distinctive promoting and machine identifiers, which may very well be utilized by different advertisers to trace customers throughout the web and different apps.
Finally it was potential for third events to affiliate fertility and being pregnant information “to a selected particular person,” the FTC mentioned in its criticism.
The FTC mentioned that this third-party information sharing repeatedly violated Straightforward Healthcare’s privateness insurance policies, which promised to share solely “non-identifiable information” with third events, in contravention of the FTC’s Well being Breach Notification Rule.
Straightforward Healthcare additionally allegedly shared customers’ delicate identifiable information with two China-based cellular analytics firms identified for “suspect privateness practices,” in keeping with an announcement by Connecticut legal professional common William Tong. Knowledge together with IMEI numbers — strings of numbers tied to particular person gadgets — and exact geolocation information have been transferred to analytics corporations Jiguang and Umeng between 2018 and 2020, in keeping with the FTC.
The FTC alleges that the corporate did so figuring out that Jiguang and Umeng might use this information for their very own enterprise functions or might switch the information to extra third events, and says Straightforward Healthcare solely stopped sharing this information when Google notified the app maker in 2020 that the switch of knowledge to Umeng violated its Google Play Retailer insurance policies.
“Premom broke its guarantees and compromised customers’ privateness,” Samuel Levine, director of the FTC’s Bureau of Shopper Safety, mentioned. “We’ll vigorously implement the Well being Breach Notification Rule to defend shopper’s well being information from exploitation. Corporations amassing this info needs to be conscious that the FTC is not going to tolerate well being privateness abuses.”
As part of a proposed settlement filed by the Division of Justice, Straightforward Healthcare has agreed to pay a $100,000 civil penalty for violating the FTC’s Well being Breach Notification Rule. It has additionally agreed to pay a complete of $100,000 to the states of Connecticut and Oregon, and the District of Columbia, and, which assisted with the FTC’s investigation.
As a part of the order, Straightforward Healthcare has additionally agreed to cease sharing private well being information with third events for promoting and is required to request that the third events delete the information (although the businesses are underneath no authorized obligation to conform). Straightforward Healthcare has additionally agreed to implement new safety and privateness applications and supply common privateness and safety audits to the companies.
Straightforward Healthcare didn’t reply to TechCrunch’s request for remark. Nonetheless, in an announcement on its web site, Premom mentioned its settlement with the FTC is “not an admission of any wrongdoing.”
This marks the second time the FTC has introduced an enforcement motion in opposition to an organization for violating the Well being Breach Notification Rule. In February this 12 months, the company reached a settlement with on-line pharmacy GoodRx for failing to confide in customers that it shared personally identifiable well being info with Fb, Google and different third events.