On Might 17, 2023, the Federal Commerce Fee (“FTC”) introduced an enforcement motion (“Enforcement Motion”) in opposition to Illinois-based Straightforward Healthcare Company (“Straightforward Healthcare”), which operates the Premom software, for allegedly violating Part 5 of the FTC Act and the Well being Breach Notification Rule (“HBNR”). Straightforward Healthcare has developed, marketed, and distributed a cell software referred to as the Premom Ovulation Tracker (“Premom”) that enables customers to enter and monitor numerous varieties of private and well being data. Within the criticism (“Criticism”), the FTC alleges that Straightforward Healthcare deceived customers by disclosing customers’ delicate well being information with third events and didn’t notify customers of those unauthorized disclosures in violation of the HBNR. The proposed order (“Proposed Order”), which was introduced by the U.S. Division of Justice on behalf of the FTC, imposes a civil penalty of $100,000 and prohibits Straightforward Healthcare from sharing person private well being information with third events for promoting, amongst different necessities. As a part of a associated motion, Straightforward Healthcare has agreed to pay an extra $100,000 to Connecticut, the District of Columbia, and Oregon for violating their respective legal guidelines.
The most recent enforcement motion in opposition to Premom follows latest FTC actions in opposition to GoodRx Holdings, Inc. for violating Part 5 of the FTC Act and the HBNR and BetterHelp, Inc. for violating Part 5 of the FTC Act, which seems to be half of a bigger effort by the FTC to watch the practices of internet sites, apps, and related units that seize shopper’s delicate well being data. The motion additionally alerts the FTC’s highlight on firms’ use of reproductive well being information, significantly in menstrual cycle and fertility purposes, within the wake of the Dobbs v. Jackson Girls’s Well being Group (“Dobbs”) determination.
The Criticism
In accordance with the Criticism, the FTC alleges that, between 2017 and 2020, Straightforward Healthcare repeatedly and falsely promised Premom customers in in its privateness insurance policies that (1) it might not share well being data with third events with out customers’ data or consent; (2) to the extent that the corporate collected and shared any data, it was non-identifiable information, and that its use of third-party analytics software program recognized a person solely by IP handle; and (3) the corporate would solely use such information for its personal analytics or promoting. The FTC states that Straightforward Healthcare’s privateness insurance policies over time promised customers that it might notify and acquire consent from customers earlier than utilizing its customers’ information for another functions.
The FTC alleges that Straightforward Healthcare shared Premom customers’ identifiable well being data via “Customized App Occasions” to 3rd events. In accordance with the Criticism, Straightforward Healthcare integrated into the Premom app software program improvement instruments, referred to as software program improvement kits (“SDKs”), which allowed Straightforward Healthcare to trace and analyze Premom customers’ interactions with Premom and switch its app customers’ information—together with information about customers’ fertility and pregnancies—to the writer of every SDK. The Criticism states that Straightforward Healthcare gave these firms (together with third-party advertising and marketing and analytics companies, a few of which have been overseas firms) broad latitude to make use of such information as they noticed match by agreeing to their commonplace phrases of service.
The FTC additionally alleges that Straightforward Healthcare didn’t implement affordable privateness and information safety measures, together with failing to adequately assess the privateness dangers of third-party SDKs that have been integrated into Premom, failing to watch adjustments within the privateness insurance policies and phrases and situations of the SDK publishers, and failing to interact in audits or compliance critiques relating to the information assortment and privateness practices of third-party publishers. The FTC additionally discovered that Straightforward Healthcare didn’t implement compliance with their very own privateness guarantees to customers.
The Proposed Order
The Proposed Order states that Straightforward Healthcare should pay a civil penalty of $100,000 to the federal authorities. Along with the civil penalty, the Proposed Order prohibits Straightforward Healthcare from partaking in sure practices, requires it to inform people as required beneath the HBNR, and requires it to interact in numerous actions designed to bolster its compliance program. Particularly, the Proposed Order consists of the next prohibitions and necessities:
- Completely prohibits Straightforward Healthcare from sharing customers’ private well being information with third events for promoting;
- Requires Straightforward Healthcare to acquire person consent earlier than sharing private well being information with third events for different functions;
- Requires Straightforward Healthcare to retain customers’ private data for under so long as mandatory to meet the aim for which it was collected;
- Prohibits Straightforward Healthcare from making future misrepresentations about its privateness practices;
- Requires Straightforward Healthcare to adjust to the HBNR’s notification necessities for any future breach of safety;
- Requires Straightforward Healthcare to hunt deletion of knowledge it has shared with third events;
- Requires Straightforward Healthcare to ship and put up a shopper discover explaining the FTC’s allegations and the settlement; and
- Requires Straightforward Healthcare to implement complete safety and privateness packages that embrace robust safeguards to guard shopper information.
Takeaways
As mentioned in a previous consumer alert, the FTC issued a coverage assertion in September 2021 to affirm that well being apps and related units that accumulate or use customers’ well being data should adjust to the HBNR. Along with the coverage assertion, which seems to have considerably expanded the HBNR’s scope, the FTC just lately introduced that it might be looking for touch upon proposed adjustments to the HBNR that embrace clarifying the rule’s applicability to well being apps and different related applied sciences.
Furthermore, the Administration and the FTC have elevated scrutiny on firms that share delicate reproductive well being data within the wake of the Dobbs determination final spring reversing the constitutional proper to abortion. Because the launch of the Dobbs determination, the Administration has labored to bolster protections for delicate well being information associated to reproductive well being care via a mixture of legislation enforcement and coverage initiatives, together with a earlier FTC enforcement motion in opposition to Flo Well being Inc., the developer of a fertility monitoring app, along with dedication from the FTC to guard customers from firms that misuse reproductive well being information.
Digital well being firms and different organizations throughout the well being care trade ought to be aware of latest enforcement actions, consider whether or not the HBNR applies to their enterprise, evaluation and replace insurance policies and compliance with FTC requirement, and proceed to watch FTC enforcement actions and different developments relating to the HBNR. That is significantly essential for firms that concentrate on ladies’s well being.
For extra data or recommendation relating to the applicability of the Enforcement Motion to your group, please contact the skilled(s) listed under or your common Crowell & Moring contact.
