The Federal Trade Commission says the fertility app Premom shared health data with third-party organizations and misled users over their privacy practices.
The FTC claimed the company “disclosed users’ sensitive health data to AppsFlyer and Google, and failed to notify consumers of these unauthorized disclosures in violation of the Health Breach Notification Rule.”
In a statement, Easy Healthcare, parent company of the app, denies selling health information to third parties.
“Easy Healthcare is proud to offer the Premom App, a safe and secure mobile application that helps women get pregnant naturally and quickly,” it said in a statement. “We recently reached a settlement with the FTC. Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to put this matter behind us and focus on you, our users.”
In the settlement, Premom is prohibited from sharing health information with third parties for advertising. It also must obtain permission from users to share information to third parties for other purposes, and it must “notify users about the company’s unauthorized disclosure of their personally identifiable health information to Facebook, Google and others.”
FTC: Facebook failed to protect children's privacy
This is the third time the FTC has acted against Meta over allegations of not protecting users' privacy.
The FTC alleged that the information given to third parties was highly sensitive and included information about a user’s sexual and reproductive health, parental and pregnancy status, and physical health conditions and status.
“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumers' health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
The FTC also alleged that Premom failed to encrypt the information it sent to third parties, subjecting the data to unauthorized seizure.
Easy Healthcare Corporation has agreed to pay a $100,000 civil penalty.
The agreement is subject to a judge’s approval.