Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: FTC's proposed order prohibits Premom from sharing health data for advertising purposes

The Federal Trade Commission (FTC) announced, on May 17, 2023, that the Department of Justice had filed on its behalf a draft order against Easy Healthcare Corporation for deceptive and unfair acts or practices in violation of the Federal Trade Commission Act (FTC Act) and violations of the Health Breach Notification Rule under the Code of Federal Regulations (C.F.R).

Background to the case

Easy Healthcare operates a mobile app, Premom, that allows users to input and track various types of personal and health information. The FTC confirmed that between 2017 and 2020, Easy Healthcare promised Premom users in its privacy policies that it would not share health information with third parties without users' knowledge or consent, noting that to the extend it collected and shared any information, such information was non-identifiable data. The privacy policy also stated that data would only be used for Easy Healthcare's own analytics or advertising.

Findings of the FTC

Following its investigation, the FTC concluded that Easy Healthcare had:

  • made privacy misrepresentation regarding:
    • its disclosures of health information; and
    • sharing data with third parties;
  • failed to disclose to users:
    • its geolocation information sharing with third parties; and
    • third parties use of shared personal data;
  • failed to take reasonable measures to assess and address the privacy and data security risks created by third-party software;
  • shared health information for advertising purposes without affirmative express consent; and
  • violated the Health Breach Notification Rule under C.F.R.

Outcomes

In light of the above, a draft order was filed against Easy Healthcare. The proposed order will require Easy Healthcare to pay $100,000 for violations of the Health Breach Notification Rule and impose, among other things:

  • a permanent ban on the disclosure of health information to third parties for advertising purposes;
  • a permanent ban against misrepresentation including regarding the collection, maintenance, and disclosure of covered information;
  • a permanent ban on the disclosure of health information without affirmative express consent and notice;
  • a requirement to notify security breaches to:
    • specific individuals whose identifiable health information was acquired by an unauthorized person as a result of its security breach;
    • the FTC; and
    • prominent media outlets in a state or jurisdiction.

As part of a related action, Easy Healthcare also agreed to pay a total of $100,000 to Connecticut, the District of Columbia, and Oregon.

The proposed order must be approved by the Federal Court to go into effect.

You can read the announcement here, the complaint here, and the proposed order here.

Update: June 27, 2023

Court orders Easy Healthcare to implement privacy and data security program

The U.S. Department of Justice announced, on June 23, 2023, that the U.S. District Court for the Northern District of Illinois required Easy Healthcare to implement a comprehensive privacy and data security program with safeguards to protect consumer data. The order also requires Easy Healthcare to hire an independent third party to regularly assess its compliance with the privacy program for a period of 20 years.

Importantly, Easy Healthcare is prohibited from:

  • sharing health information with third parties for advertising purposes;
  • sharing health information with third parties for other purposes without obtaining users' affirmative express consent; and
  • making misrepresentations about Easy Healthcare's privacy practices.

Furthermore, Easy Healthcare is required to comply with the Health Breach Notification Rule in any future breaches of security, and finally, in line with the proposed order, Easy Healthcare must pay $100,000 in civil penalties to the FTC.  

You can read the press release here.

Feedback