On May 17, District of Colombia Attorney General Brian Schwalb announced the settlement of an investigation into Easy Healthcare Corporation, requiring the company to change its privacy practices involving the ovulation tracking app “Premom” to protect the sensitive reproductive data of consumers. Easy Health agreed to several remedial measures intended to prevent the disclosure of sensitive information to third parties and to pay a $100,000 penalty to the states involved with the investigation.

According to the announcement, Easy Healthcare provides several home health care products, including the Premom app — an ovulation tracker, menstrual tracker, and fertility tool. In 2020, the International Digital Accountability Council (IDAC) raised concerns that the Premom app shared sensitive user data with third parties, including two China-based companies flagged for questionable privacy practices. Software development kits (SDK) facilitated the transfer of sensitive information to the companies seemingly unbeknownst to Easy Healthcare, which immediately stopped using the SDK after receiving notice from the IDAC.

The District of Colombia, Oregon, and Connecticut investigated the company in coordination with the FTC, confirming that Easy Healthcare shared sensitive health care data with third parties without consumer notice or consent. Easy Healthcare agreed to resolve the investigation by making significant changes to its privacy and security programs, including:

  • Collecting and using personal information only for specified, legitimate, and necessary purposes and not using the information if it conflicts with those purposes;
  • Providing consumers with enhanced disclosures on information collection practices;
  • Not sharing health or location data with third parties without user consent;
  • Providing an avenue for consumers to request the deletion of their personal information;
  • Implementing a vendor risk management program and monitoring all information collection by third parties;
  • Performing a privacy risk assessment; and
  • Undergoing third-party assessments of the company’s privacy and data security practices.

Easy Healthcare also agreed to enter a stipulated order with the Department of Justice in connection with the FTC investigation. According to AG Schwalb, “District residents who used the Premom app were entitled to have their locations and devices kept confidential, but Easy Health shared that private information with third parties without notice or consent, putting users at risk.”

Why It Matters

It is incumbent on companies to audit their products and services (including mobile apps) to ensure sound privacy practices — especially if those products and services collect consumer data. Now is the time to ensure disclosure accurately reflects the business’ information practices, including what data is collected and with whom it is shared. Failure to do so may result in the company finding itself in the crosshairs of a significant regulatory investigation.