If you’re looking to get pregnant, you can punch data about your periods into an app called Premom, which tells you when you’re ovulating. But why keep the news to yourself? The good folks at Premom know a bunch of advertising companies who’d love to know more about your health, so they shared user data with a bunch of third-parties companies including Google, AppsFlyer, and a couple of businesses in China. And, whoops! Premom forgot to tell users about it (hate it when that happens). Well, the Federal Trade Commission says Premom broke the law. It’s part of an ongoing crusade to protect people from companies that seem to think health privacy doesn’t matter.
“Premom broke its promises and compromised consumers’ privacy,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a press release Wednesday. “We will vigorously enforce the Health Breach Notification Rule to defend consumer’s health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
The Department of Justice filed a proposed order on behalf of the FTC which bans Easy Healthcare Corporation, which operates the Premom app, from sharing health data with third party advertising companies. Easy Health would also have to obtain consent before sharing any other data, and it would have to let users know about all of its privacy practices (which, one hopes, will be less gross going forward). The order has to be approved by a judge before it goes into effect.
The good news is Premom is the only company that would ever do something like this. Just kidding! It is extremely common for companies to share users’ health data. In 2021, the FTC settled a similar case with period tracker Flo Health. (Flo now has an optional “anonymous mode,” which isn’t really anonymous.) Other period trackers have similar problems, not to mention mental health apps. The FTC took a similar action against GoodRX, a prescription coupon outfit that was just as loose with user data. If you’re curious what happens to all that data, why not revisit Gizmodo’s 2022 investigation, which found 32 data brokers selling 2.9 billion profiles’ worth of pregnancy data, right after the Supreme Court said it’s ok to make abortions illegal.
Reached for comment, Easy Health pointed to a statement on its website. “We recently reached a settlement with the FTC. Our agreement with the FTC is not an admission of any wrongdoing,” Premom wrote. “Rest assured that we do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes.” Note that these guarantees are carefully written in the present tense, making no mention of whether or not Premom did this in the past. The company wrote it keeps its promises to users.
Here’s a weird, sad fact about health privacy in the United States: we don’t have much of it. Until recently, the law left a gaping hole that medical data hoarders waltzed through for decades. HIPAA, the law formerly known as the Health Information Portability and Accountability Act, does not protect you the way you think it does. Basically, HIPAA only applies to healthcare providers (doctors and nurses, mostly), insurance companies, and their business associates. Anyone else, like a period tracking app, Google, WebMD, and most other sorry apps and websites where you give up health details were free to do whatever they want with the most personal information about your life.
Sound bad? The FTC thinks so. That’s why it’s been experimenting with a new legal theory to lay the smackdown on ghouls who violate your health privacy.
A few years ago, the FTC made a new rule about health breach notifications. The rule says companies that have health records have to tell consumers, and in some cases the media, when there’s “unauthorized access” to that health information. At the time, it seemed like this law was geared towards data breaches, i.e. hacking or other unintentional leaks.
But in February, the FTC made a bold argument. The commission said it counts as a “breach” when companies share health information with advertising companies without your consent. It’s essentially a pro-consumer power grab which gives the FTC the authority to reign in health privacy offenders. Much to this reporter’s delight, the FTC based its move on an investigation I did on GoodRX for Consumer Reports back in 2020, followed by a similar report in Gizmodo.
This legal argument is, however, a bit of a stretch. If GoodRX or Premom’s owner Easy Health wanted to fight, they could take the FTC to court and argue that the Health Breach Notification Rule (capitalized for formality) doesn’t apply in this situation. The FTC could very well lose a case like that, taking us back to the medical data feeding frenzy status quo.
But GoodRX and Premom didn’t challenge the government, probably because the FTC attached such a small fine to these problems that it makes more sense for the companies to just roll over. (It might also be a bad look to spend years in court arguing in favor of your creepazoid privacy practices). The FTC dinged GoodRX just $1.5 million dollars, a measly 0.2% of GoodRx’s $745 million 2021 revenue. In its latest proposed order, Premom owner Easy Health would pay an impotent $100,000 fine. The FTC said Easy Health also agreed to pay $100,000 to Connecticut, Washington, DC, and Oregon, which worked with the FTC on the case, for violating their respective laws.
In other words, the FTC appears to be making an example out of this health privacy bozo behavior, setting a precedent to give itself more authority, and attempting to scare other companies into treating people’s medical data with the respect they assume they already have. In exchange, the FTC is sacrificing meaningful fines, letting GoodRX and Easy Health sneak by with a slap on the wrist and some bad press.
Update, May 18, 2:28 pm EST: This story has been updated with a comment from Premom.