Fertility app used by 500k women sold private health data to shady Chinese firms

A popular fertility app used by women to track their reproductive health will pay $200,000 to settle claims that it shared highly sensitive data from thousands of users to shady Chinese companies.

Premom – an Illinois-based company that purports to have about half a million users who can upload confidential information about their menstrual cycles, reproductive health conditions, and other fertility-related data. 

The company was charged with giving away identifiable user health information and precise geolocation information with Google and two China-based companies known for ‘suspect privacy practices.’ 

Easy Healthcare, Premom’s developer, has pledged to stop sharing sensitive information, though it did not admit to any wrongdoing.

Last year’s upending of legal abortion access brought a renewed wave of concerns over health privacy as millions of American women use fertility apps to keep track of their cycles, which could potentially be used to penalize anyone seeking or considering an abortion.

More than a dozen states have restricted access to abortions following the overturning of Roe V Wade

Premom asks users to upload details about their sexual health such as ovulation and basal body temperature to receive personalized, remote analysis to help predict how to get pregnant naturally

Premom asks users to upload details about their sexual health such as ovulation and basal body temperature to receive personalized, remote analysis to help predict how to get pregnant naturally

Premom is owned by Illinois-based Easy Healthcare, a medical supplies e-commerce company. Premom allows users to upload their ovulation test strips, which Easy Healthcare also makes

Premom is owned by Illinois-based Easy Healthcare, a medical supplies e-commerce company. Premom allows users to upload their ovulation test strips, which Easy Healthcare also makes

DC Attorney General Brian Schwalb said: ‘District residents who used the Premom app were entitled to have their locations and devices kept confidential, but Easy Healthcare shared that private information with third parties without notice or consent, putting users at risk.

‘Now more than ever, with reproductive rights under attack across the country, it is essential that the privacy of healthcare decisions is vigorously protected. My office will continue to make sure companies protect consumers’ personal information to protect against unlawful encroachment on access to effective reproductive healthcare.’

The FTC did not disclose the names of the Chinese firms that got hold of the sensitive information, but said they had been ‘flagged for suspect privacy practices.’

The widespread concerns about sharing sensitive data regarding reproductive health hit a fever pitch in June 2022 when the Supreme Court overturned a 50 year precedent for legal abortion.

The data stored on apps like Premom is extremely telling – when a period stops or starts and when a pregnany starts and stops. And privacy experts have been on edge since then, knowing full well that data could be subpoenaed or sold to third parties.

The app launched in 2017 but enjoyed a major milestone in November 2019 with half a million downloads. 

During the pandemic, business shifted to a largely remote platform across many industries. Premom began offering virtual consultations with fertility specialists in July 2020. 

HIPAA, the federal health information privacy law, does not have jurisdiction over period tracking apps and in fact aspects of the law have failed to keep up with the advent of new technologies such as fitness trackers.

Easy Healthcare, for its part, said: ‘Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to put this matter behind us and focus on you, our users.

‘Rest assured that we do not, and will not, ever sell any information about users’ health to third parties, nor do we share it for advertising purposes… Protecting users’ data is a high priority, which is why we have always been transparent with and cooperated fully throughout the FTC’s review of our privacy program.’

Under the settlement, the company has agreed to a $100,000 civil penalty for violating the Health Breach Notification Rule, according to the FTC.

It will also pay $100,000 to the state AGs.

Wednesday’s settlement agreement follows FTC action taken against a similar app called Flo about three years ago. The app, used by over 100 million women, received a slap on the wrist for failing to put limits on how third-party companies such as Google and Facebook could use the health information of millions of women, which led to these companies using the private data for targeted online ads.

The investigation found that the app was sharing data all while the company repeatedly promised users that their data would be protected and not shared with others.

How can your location data be purchased? 

Smartphones collect a vast amount of data about their users, which can be sold on to third parties.

This can include location tracking, which records where a person has been with their cell phone and when – down to individual buildings.

If a user gives permission to an app on their cell phone to track this data, and also gives permission for that location data to be sold, third parties can then purchase it for their own use.

Data broker companies purchase this data from the app developers and re-package it for a number of purposes, such as marketing and advertising – and sell it on further to other companies.

But if they can afford it, the data can be purchased and then used by everyone – including law enforcement and members of the public.

Vice News reported that it had purchased data from SafeGraph that specifically related to people who had visited abortion clinics.

While SafeGraph has said it would stop selling location data relating to visitors of family planning clinics, the report has raised fears that other data brokers could also sell such data.

***
Read more at DailyMail.co.uk