Governance & Risk Management , HIPAA/HITECH , Privacy
Lawsuit: Fertility App Maker Sent Data to Google, FacebookProposed Class Action Claims Flo Health Shared Users' Sensitive Data Without Consent
A proposed class action lawsuit alleges Flo Health, a fertility-tracking mobile app maker, unlawfully shared sensitive user data with Google, Facebook and two other software vendors, who are named as co-defendants in the legal dispute.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The lawsuit comes on the heels of a recent settlement between Flo Health and the Federal Trade Commission over similar data sharing privacy issues (see: FTC Orders Health App Vendor to Revamp Privacy Practices).
The lawsuit complaint filed in a California federal court on Sept. 2 against Wilmington, Delaware-based startup Flo Health, as well as Google, Facebook and two data analytics vendors - AppsFlyer Inc. and Flurry Inc. - alleges violations of several state and federal laws, including California privacy laws, the Stored Communications Act and the Federal Wiretap Act, among other claims.
The legal action was filed by eight former users of Flo Health's fertility-tracking application - on behalf of others similarly situated - alleging the consumers provided "intimate, personal health details in response to probing survey questions about health and wellness … based on [Flo Health's] repeated assurances that their intimate health data would remain protected and confidential and would not be disclosed to third parties."
Contrary to the company's assurances, "Flo Health knowingly collected, transmitted, and disclosed Plaintiffs’ and Class members’ intimate health data to third parties, including the non-Flo defendants," the lawsuit alleges.
Subsequently, Google, Facebook, AppsFlyer and Flurry "incorporated this information into their existing data analytics and research segments to compile profiles and target users for advertisements," the lawsuit alleges.
"By continuing to contract with Flo Health to receive this data - and using this data for their own purposes - the Non-Flo Defendants - as well as Flo Health - intentionally intruded upon Plaintiffs’ and Class members’ privacy," the lawsuit complaint alleges.
Among other relief, the lawsuit seeks, for plaintiffs and class members, "statutory, actual, compensatory, consequential, punitive, and nominal damages, as well as restitution and/or disgorgement of profits unlawfully obtained."
Flo Health, Google, AppsFlyer and Flurry did not immediately respond to Information Security Media Group's request for comment on the lawsuit.
Facebook declined ISMG's request for comment.
The class action lawsuit comes less than two months after a finalized settlement between Flo Health and the FTC, in which the commission alleged that despite promising to keep users’ health data private, Flo Health shared sensitive health data from millions of users of its Flo Period & Ovulation Tracker app with marketing and analytics firms, including Facebook and Google, after promising users that such information would be kept private.
Under the final settlement reached in June, the FTC ordered Flo Health to notify affected users about the disclosure of their health information and instruct any third party that received users’ health information to destroy that data.
In addition, Flo Health under the settlement is also prohibited from misrepresenting:
- The purposes for which it - or entities to whom it discloses data - collect, maintain, use or disclose the data;
- How much consumers can control these data uses;
- Its compliance with any privacy, security or compliance program;
- How it collects, maintains, uses, discloses, deletes, or protects users’ personal information.
Flo Health's proposed settlement with the FTC announced in January - as well as a similar but separate proposed class action lawsuit filed against another fertility app vendor, Easy Healthcare, in January - also prompted several members of Congress to call on the FTC to begin using its existing authority to protect personal health data (see: Lawmakers Urge FTC to Enforce Health Breach Notification Rule).
The lawsuit filed against Burr Ridge, Illinois-based Easy Healthcare Corp. by a user of the company’s free fertility app, Premom, alleges the Android app is sharing personal and sensitive health data, as well as geolocation data and other information, with three Chinese firms - without first obtaining users’ consent (see: Lawsuit: App Maker Shared Health Data with Chinese Firms).
In letters to the FTC, the bipartisan mix of Congress members demanded the FTC take enforcement action against fertility-tracking mobile apps that allegedly violate the decade-old FTC Health Breach Notification Rule, which covers certain entities not regulated under HIPAA.
Ultimately, the FTC commissioners voted 5-0 to accept a consent agreement with Flo Health that did not invoke the FTC's health breach notification rule. But two commissioners, Rohit Chopra and Rebecca Kelly Slaughter, concurred in part and dissented in part from that settlement.
"In our view, the FTC should have charged Flo with violating the Health Breach Notification Rule," Chopra and Slaughter wrote in a joint statement about the case in January.
"Under the rule, Flo was obligated to notify its users after it allegedly shared their health information with Facebook, Google, and others without their authorization. Flo did not do so, making the company liable under the rule.”
The FTC did not immediately respond to ISMG's request for comment on its dispute with Flo Health.
Actions to Maintain Privacy
Privacy attorney Ashley Thomas of the law firm Holland & Knight LLP says digital health providers need to be transparent about their data collection and sharing practices. "They need to do what they are actually saying they do in public privacy notices," she says.
Thomas says it is common for digital health providers to disclose an individual's information to third-party vendors or service providers, but the providers need to "assess and map the data they are collecting and understand where they are sharing that information."
"Some digital health providers need to better recognize the various touchpoints by which they may be disclosing personal information," she adds.