On May 17, District of Colombia Attorney General Brian Schwalb announced the settlement of an investigation into Easy Healthcare Corporation, requiring the company to change its privacy practices involving the ovulation tracking app “Premom” to protect the sensitive reproductive data of consumers. Easy Health agreed to several remedial measures intended to prevent the disclosure of sensitive information to third parties and to pay a $100,000 penalty to the states involved with the investigation.

According to the announcement, Easy Healthcare provides several home health care products, including the Premom app — an ovulation tracker, menstrual tracker, and fertility tool. In 2020, the International Digital Accountability Council (IDAC) raised concerns that the Premom app shared sensitive user data with third parties, including two China-based companies flagged for questionable privacy practices. Software development kits (SDK) facilitated the transfer of sensitive information to the companies seemingly unbeknownst to Easy Healthcare, which immediately stopped using the SDK after receiving notice from the IDAC.

The District of Colombia, Oregon, and Connecticut investigated the company in coordination with the FTC, confirming that Easy Healthcare shared sensitive health care data with third parties without consumer notice or consent. Easy Healthcare agreed to resolve the investigation by making significant changes to its privacy and security programs, including:

  • Collecting and using personal information only for specified, legitimate, and necessary purposes and not using the information if it conflicts with those purposes;
  • Providing consumers with enhanced disclosures on information collection practices;
  • Not sharing health or location data with third parties without user consent;
  • Providing an avenue for consumers to request the deletion of their personal information;
  • Implementing a vendor risk management program and monitoring all information collection by third parties;
  • Performing a privacy risk assessment; and
  • Undergoing third-party assessments of the company’s privacy and data security practices.

Easy Healthcare also agreed to enter a stipulated order with the Department of Justice in connection with the FTC investigation. According to AG Schwalb, “District residents who used the Premom app were entitled to have their locations and devices kept confidential, but Easy Health shared that private information with third parties without notice or consent, putting users at risk.”

Why It Matters

It is incumbent on companies to audit their products and services (including mobile apps) to ensure sound privacy practices — especially if those products and services collect consumer data. Now is the time to ensure disclosure accurately reflects the business’ information practices, including what data is collected and with whom it is shared. Failure to do so may result in the company finding itself in the crosshairs of a significant regulatory investigation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Stephen C. Piepgrass Stephen C. Piepgrass

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies,

Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He focuses his practice on enforcement actions, investigations, and litigation. Stephen primarily represents clients engaging with, or being investigated by, state attorneys general and other state or local governmental enforcement bodies, including the CFPB and FTC, as well as clients involved with litigation, with a particular focus on heavily regulated industries. He also has experience advising clients on data and privacy issues, including handling complex investigations into data incidents by state attorneys general other state and federal regulators. Additionally, Stephen provides strategic counsel to Troutman Pepper’s Strategies clients who need assistance with public policy, advocacy, and government relations strategies.

Photo of Sadia Mirza Sadia Mirza

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’

Sadia leads the firm’s Incidents + Investigations team, advising clients on all aspects of data security and privacy issues. She is the first point of contact when a security incident or data breach is suspected, and plays a central role in her clients’ cybersecurity strategies.

Photo of Daniel Waltz Daniel Waltz

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on

Daniel is a member of the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group and State Attorneys General team. He counsels clients in connection with navigating complex government investigations, regulatory compliance, and transactions, involving state and federal government contracting obligations. Drawing on his broad experience as a former assistant attorney general for the state of Illinois, Daniel is a problem solver both inside and outside the courtroom.