Application Security , Governance & Risk Management , HIPAA/HITECH
FTC Orders Health App Vendor to Revamp Privacy PracticesEnforcement Action Centers on Data Not Covered Under HIPAA
The Federal Trade Commission announcement this week of a proposed health data privacy settlement with Flo Health, a fertility-tracking mobile app vendor, illustrates how the agency can play a critical role in helping ensure data not regulated under HIPAA is protected.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The Wilmington, Delaware-based app vendor has agreed to a major revamp of its privacy practices under a proposed settlement with the FTC. The commission alleged the startup company violated the FTC Act by misrepresenting to millions of women how it shared their sensitive health data with third-party analytics firms.
Under the proposed settlement, which will be finalized after a public comment period, Flo Health must get app users’ consent before sharing their health information. It also must obtain an independent review of its privacy practices.
Privacy attorney Iliana Peters of the law firm Polsinelli says the FTC action offers important lessons.
“This settlement is particularly instructive both for entities working with health information not covered by HIPAA and for consumers,” she says. “Clearly, the FTC remains interested in the privacy and security of such health information, and will obviously step in where the Department of Health and Human Services cannot - and even where HHS can,” she says.
For the most part, the HIPAA Privacy Rule does not cover health data shared directly by consumers with technology vendors outside of healthcare settings.
The FTC alleges that the developer of the period- and fertility-tracking app used by more than 100 million consumers shared the health information of users with data analytics providers, including Facebook and Google, after promising users that such information would be kept private.
“By encouraging millions of women to input extensive information about their bodies and mental and physical health, [Flo Health] has collected personal information about consumers, including name, email address, date of birth, place of residence, dates of menstrual cycles, when pregnancies started and ended, menstrual- and pregnancy-related symptoms, weight and temperature,” the FTC says in its complaint against the company.
“Between 2017 and 2019, [Flo Health] repeatedly promised users that the Flo App would keep their health data private, and that [Flo Health] would only use Flo App users’ data to provide the Flo App’s services,” the FTC says. Many users entrusted the company with their health information because they believed that it abided by its privacy policies, the commission adds.
In privacy policies in effect between August 28, 2017, and February 19, 2019, Flo Health explained that it “may share certain personal data with third parties, but only for purposes of operating and servicing the Flo App,” the FTC says. “In fact, as far back as June 2016, [Flo Health] integrated into the Flo App software development tools … from the numerous third-party marketing and analytics firms … including Facebook, Flurry, Fabric, AppsFlyer and Google. These software development kits gathered the unique advertising or device identifiers and custom app events of the millions of Flo App users.”
The FTC contends that Flo Health disclosed sensitive health information, such as a user’s pregnancy, to third parties in the form of “app events” - app data transferred to third parties. “In addition, Flo Health did not limit how third parties could use this health data,” the commission states.
The FTC notes in its statement that Flo Health did not stop disclosing consumers’ sensitive data “until its practices were revealed in a news article in February 2019, which prompted hundreds of complaints from the app’s users.”
Under the FTC consent order, Flo Health is prohibited from misrepresenting:
- The purposes for which it or entities to whom it discloses data collect, maintain, use or disclose the data;
- How much consumers can control these data uses;
- Its compliance with any privacy, security or compliance program;
- How it collects, maintains, uses, discloses, deletes or protects users’ personal information.
Notice to Consumers
Also, under the consent order, Flo Health must send its users a detailed notice about the kinds of personal data – including information about periods and pregnancies - the company shared with data analytics firms.
Flo Health also must instruct any third party that received users’ health information to destroy that data, the FTC says.
In a statement provided to Information Security Media Group, Google says: "Companies that use Google Analytics on their websites and apps own all data collected by the service and can delete that data at any time - Google only processes data as instructed by the customer.
“Google does not allow personally identifiable information to be passed through Google Analytics. We don’t build advertising profiles from sensitive data like health conditions, and we have strict policies preventing developers and advertisers from using such data to personalize ads.”
Facebook did not immediately respond to ISMG’s request for comment.
Flo Health Statement
Flo Health, in a statement provided to ISMG, says its agreement with the FTC is “not an admission of any wrongdoing.” Rather, it is a settlement “to avoid the time and expense of litigation and enables us to decisively put this matter behind us.”
The company says it “did not at any time share users’ names, addresses or birthdays with anyone. We do not currently, and will not, share any information about our users’ health with any company unless we get their permission. … We have a comprehensive privacy framework with a robust set of policies and procedures to safeguard our users’ data which are regularly reviewed both internally and using independent expert auditors.”
The FTC order may be the first to require a company to notify affected consumers that it violated its privacy promises to them, says former FTC attorney Julie O'Neill, a partner at law firm Morrison & Foerster, who was not involved in the Flo Health case. “It may reflect the FTC’s apparent trend … to want to really hold companies accountable for their violations,” she says.
Privacy and security attorney Ashley Thomas of the law firm Morris, Manning & Martin LLP says the proposed FTC settlement might not be the only regulatory action against Flo Health. “There could always be the potential that a European Data Protection Authority hears about it or receives a complaint from a consumer, and the European DPA could take action to investigate [the company’s] GDPR [General Data Protection Regulation] compliance.”
She also points out that “companies need to be aware of the various state privacy and cybersecurity laws that are emerging."