On May 17, 2023, the Federal Trade Commission (the "FTC") reached a settlement with Easy Healthcare Corporation ("Easy Healthcare"), for its fertility-tracking app, Premom. The agency alleged that Easy Healthcare failed to take reasonable measures to address the privacy and security risks created by using software development kits ("SDKs") that shared consumers' health information with third parties. The FTC asserted that this violated the unfairness and deception prongs of Section 5 of the FTC Act, as well as the Health Breach Notification Rule (the "HBNR"). Easy Healthcare will pay a $100,000 civil penalty for violating the HBNR and, among other measures, will also be permanently banned from sharing user personal health data with third parties for advertising.
This enforcement action continues the FTC's aggressive approach towards applications that share consumers' personal health information with third parties for advertising purposes, which it has done by taking an expansive view of its existing rules as well as its unfairness authority. This enforcement action builds upon the GoodRx and BetterHelp enforcement actions from earlier in 2023 and further indicates that the FTC is looking to establish precedent through which it can illustrate what "reasonable" privacy practices are. Companies that operate in the health data space, and especially companies that deal with particularly sensitive health information (such as reproductive data), should be aware of these risks and evaluate their data sharing and compliance practices in light of these recent FTC enforcement decisions.
The Easy Healthcare announcement came in close proximity to the FTC's notice that it was proposing amendments to the HBNR that appear designed to bring the FTC's expansive interpretation of the rule—as illustrated through its enforcement actions and policy statement—in line with its text. This timing, coupled with the FTC's recent enforcement decisions, highlights that companies collecting, using, and storing personal health data should monitor the use and disclosure of personal health information carefully, especially to third parties through SDKs and tracking technologies where that information might be used for marketing or analytics purposes. Given heightened sensitivity around these issues, entities conducting due diligence of acquisitions or potential investments or looking to divest assets need to pay close attention to any data flows to third parties involving health data.
In the below post, we provide a summary of the Easy Healthcare complaint and proposed order, along with key takeaways for businesses. We are happy to answer any additional questions you may have.
The complaint alleges that Easy Healthcare violated Section 5 of the FTC Act and the HBNR.
Deceptive Representations and Omissions Claims
The complaint alleges that Premom made deceptive representations and omissions about its information collection, sharing, and use, including that:
1. Easy Healthcare shared users' sensitive health information with third parties without user consent or knowledge.
Easy Healthcare's privacy policies stated that the company would not share exact age or related health data with any third parties without user consent or knowledge. The privacy policies also represented that Premom would only share non-identifiable data with third parties. The FTC alleged that by integrating various SDKs from third party firms into the Premom app, Easy Healthcare transferred users' data to the publishers of these SDKs.
Specifically, Easy Healthcare tracked "Standard App Events," such as launching or closing the app, along with "Custom App Events," which are user interactions with the app that are unique to Premom. The Custom App Events used descriptive titles to track the users' actions. For example, when a user logged her fertility on the Premom app, Easy Healthcare recorded this Custom App Event as "Calendar/Report/LogFertility." The company used similar descriptive titles to log other events, such as when users saved information related to their period or when users purchased pregnancy test kits. This is a similar allegation as was at issue in the FTC's case against Flo Health that was settled a couple years ago.
The complaint asserts that because Easy Healthcare incorporated SDKs from AppsFlyer and other third parties into the Premom App, Easy Healthcare had been sharing sensitive health information of hundreds of thousands of users via these descriptive titles for years. Since the app also collected unique advertising and device identifiers through SDKs (described in more detail below), the FTC alleged that third parties could use these identifiers to ultimately match them to a specific person.
2. Easy Healthcare shared identifiable user information with foreign entities.
Easy Healthcare represented that its analytics software only identified a user by IP address and that only non-identifiable data was shared with third parties. The complaint alleges, however, that Easy Healthcare incorporated SDKs of a Chinese mobile app analytics provider and a Chinese mobile developer into Premom, and that these SDKs allowed Premom to share with these foreign entities users' social media account information that could identify the individual.
In addition, the complaint alleges that the SDKs collected identifiable information, including resettable and non-resettable identifiers and geolocation information. Resettable identifiers include Android IDs and Android Advertising IDs – alphanumeric combinations assigned by a mobile phone to a user that can be used for targeted advertising – and phone wi-fi Media Access Control ("MAC") addresses. Non-resettable identifiers include router, Bluetooth, and MAC addresses, along with names of wireless networks and Bluetooth devices, which could contain identifying information. Geolocation information collected included precise GPS coordinates. The FTC asserts in its complaint that these identifiers allowed third party companies to track consumers across the internet and across devices.
The FTC complaint highlights the risks associated with non-resettable identifiers, since they are hardcoded onto a device or network that the user cannot change without purchasing a new device or network. A third party might receive multiple pieces of information through an SDK. Using matching lists or other third-party services, a third party could thus link these identifiers to an individual. According to the FTC, the sharing of location data in addition to these other identifiers might make it possible for third parties to associate specific individuals with certain locations, such as their home, work, or healthcare provider locations.
3. Easy Healthcare failed to implement reasonable privacy and data security measures.
The complaint also asserts that Premom did not take reasonable measures to assess and address privacy risks to user information. For instance, the complaint alleges that Easy Healthcare had reviewed and agreed to the Chinese third parties' privacy policies, which allowed these companies to share Premom users' data for any of their own business purposes, including sharing that information with their own advertising and media partners. Therefore, according to the FTC, Easy Healthcare had not adequately assessed the privacy risks of Premom integrating these third-party SDKs. The company also allegedly did not monitor changes in privacy policies and terms and conditions of the SDKs or otherwise review third party data collection/use practices.
In addition, the complaint asserts that Easy Healthcare did not encrypt or label its Custom App Events to prevent the transfer of users' health information to third parties. The FTC alleges that the foreign analytics provider used a non-standard encryption method and included the decryption key in the transfer, a security risk that Easy Healthcare did not assess and address adequately.
The FTC alleged that Easy Healthcare failed to take reasonable measures to assess and address privacy and security risks created by the SDK integrations and that the company failed to encrypt or label Premom users' Custom App Events to prevent the transfer of users' personal health information to third parties, resulting in the transfer of users' health information to those third parties without the users knowledge or consent. In laying out its unfairness case, the FTC alleged the following consumer harms that caused substantial injury to consumers :
1. Users' device identifiers and other identifiable data were sent without proper encryption, thus making this data susceptible interception or seizure by bad actors and foreign governments.
2. Unauthorized disclosure of sensitive facts about individuals' sexual and reproductive health, pregnancy status, and parental status, which may result in stigma or embarrassment, or impact employment, housing, or insurance opportunities.
3. App users had no way of independently knowing about the company's privacy and data security failures and could not have reasonably avoided possible harms from these failures.
Alleged HBNR Violation
The HBNR requires vendors of PHR or PHR-related entities to notify consumers, the FTC, and sometimes the media when they discover certain data breaches. The rule defines a security breach to mean unauthorized acquisition of unsecured PHR identifiable information of an individual. Typically, the term "data breach" is associated with cyberattacks and related malicious threats. Under the HBNR, the FTC has taken the position that unauthorized access to certain health information also qualifies as an actionable data breach.
The complaint asserts that as a vendor of PHRs, Easy Healthcare has experienced security breaches under the HBNR because Premom disclosed the descriptive Custom App Event titles with identifiable health information to third parties without user authorization. The complaint further alleges that this health information was unsecured and transferred to third parties without the use of encryption or other mechanisms to make it unreadable for unauthorized third parties.
The FTC notes that Easy Healthcare's violation of the HBNR is ongoing and that the company has yet to provide notice in accordance with the HBNR to customers.
The Proposed Order
The proposed order imposes a $100,000 civil penalty on the company and permanently bans Easy Healthcare from disclosing health information to third parties for advertising purposes. Furthermore, the company cannot disclose users' health information to third parties for non-advertising purposes without first obtaining affirmative express consent.
The order also prohibits Easy Healthcare from making any misrepresentations about its data collection, use, and disclosure practices. Easy Healthcare must also notify customers, the FTC, and in some cases, media outlets, of data security breaches. This notice must briefly describe the breach and types of PHR identifiable health information involved, along with steps individuals can take to protect themselves from potential harm related to the breach and steps that Easy Healthcare is taking to investigate the breach.
The order places on Easy Health a user notice requirement under which the company must post on the homepage of its websites and on the home screen of its Premom mobile application a notice about the alleged breach. This notice must stay up for six months. Furthermore, Easy Healthcare must send the notice to Covered Users that downloaded and used Premom from November 2017 to August 2022.
The order also requires Easy Healthcare to instruct third parties to delete all covered information they received from users of the Premom app.
Going forward, Easy Healthcare must establish and implement a comprehensive privacy and information security program which includes a data retention policy to limit the retention of covered information, mandatory privacy training programs for all employees, and audits and testing of SDKs and their associated third parties.
Takeaways for Organizations
In light of this recent FTC decision, companies should look to take the following steps to ensure that they are minimizing their compliance risk:
1. Communicate with marketing teams and developers that might be leveraging SDKs in consumer-facing applications. Ensure that the legal and/or compliance lead understands how (and what) information is being shared with third parties, including through SDK integrations, especially if it is health-related data. This includes awareness around descriptive titles are chosen for custom app events.
3. Pay particular attention to any sharing of non-resettable identifiers and geo-location, especially if that data is being shared outside of the United States.
4. Understand that the FTC is taking an expansive approach to the HBNR, so take that into account in deciding whether to make consumer notifications where there has been unintended or inadvertent data sharing with third parties.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.