On June 23, 2023, the Department of Justice (DOJ) and Federal Trade Commission (FTC) announced a stipulated resolution with Easy Healthcare Corporation to address allegations that Easy Healthcare violated Section 5 of the FTC Act and the Health Breach Notification Rule (HBNR) in connection with its ovulation and period-tracking mobile application.
The stipulated order requires the company to (i) pay $100,000 in civil penalties, (ii) adopt a comprehensive privacy and data security program, and (iii) hire an independent third party to regularly assess its compliance with the privacy program for a period of 20 years. The order also prohibits the company from sharing health information with third parties without user consent and prohibits such disclosures for advertising purposes.
The complaint alleges that Easy Healthcare engaged in deceptive and unfair acts by (i) sharing consumer identifiers without user notice or consent, including sharing sensitive personal health information with third-party companies; (ii) failing to disclose to users how those third parties could use their information, including for advertising; and (iii) failing to take reasonable measures to assess and address the privacy and data security risks created by incorporating third-party software into their application.
Easy Healthcare developed the Premom Ovulation Tracker application to help users track their periods and ovulation. In its privacy policy, Easy Healthcare stated it would share only non-identifiable data for its own analytics purposes and that it would otherwise obtain user consent before sharing health information. The complaint alleges that, in violation of its own policy, Easy Healthcare shared Premom users’ identifiable health information with Google and other analytics firms. The data Easy Healthcare shared allegedly included dates of menstrual cycles, temperatures, pregnancy status and symptoms, weight, and hormone results.
The complaint also alleges that Easy Healthcare violated the HBNR by failing to notify its users, the FTC, and the media of unauthorized disclosures of user information. The FTC implemented the HBNR to address consumer privacy gaps that HIPAA does not cover — to regulate companies that collect health information and maintain personal health records (PHR), but which are not Covered Entities or Business Associates. Under the HBNR, if a breach of unsecured PHR identifiable health information occurs, FTC requires vendors of personal health records or related entities to notify their affected users and the FTC and, depending on the circumstances, the media. On June 9, 2023, the FTC published a notice of proposed rulemaking to amend the HBNR to clarify its applicability to health apps and request public comments on the proposed changes. For details and background regarding the proposed rule, see McGuireWoods’ Aug. 3, 2023, legal alert.
This case is a good example of the need for companies that collect health-related consumer information, but are not subject to HIPAA, to adopt appropriate privacy and data security policies and to ensure that their practices are in compliance with their policies. Such policies should, in addition to addressing privacy and security safeguards and how such entities may use and disclose such information, address health information breaches. The FTC and DOJ have indicated that they intend to aggressively enforce HBNR and other laws to protect consumers from health data exploitation. An increasing number of states have also adopted privacy laws that may be implicated when such companies collect, use, and disclose consumer health information.
McGuireWoods’ data privacy and security attorneys regularly advise healthcare providers that are subject to HIPAA, as well as companies that collect health-related consumer information, but are not subject to HIPAA. Please contact the authors of this article for any questions you may have regarding this case or privacy and security concerns more generally.