Lawsuit: App Maker Shared Health Data With Chinese FirmsEarlier, Senators Had Expressed Concern About Easy Healthcare Corp.’s Practices
A lawsuit seeking class action status alleges that the maker of a fertility mobile app is sharing with three Chinese companies its users’ personal information and location data – without first obtaining users’ consent.
The lawsuit filed against Burr Ridge, Ill.-based Easy Healthcare Corp. by a user of the company’s free fertility app, Premom, alleges the Andriod app is sharing personal and sensitive health data, as well as geolocation data, device activity data, user and advertiser IDs and nonresettable device hardware identifiers, with three Chinese firms.
The legal action comes several months after a bipartisan group of senators sent a letter to the Federal Trade Commission asking for the agency to examine the Premom app’s data security and privacy practices after a watchdog group discovered the app’s alleged data sharing with Chinese firms.
According to the lawsuit, the three China-based companies with which the Premom app shared user data are:
- Jiguang, also known as Aurora Mobile Ltd., which the lawsuit says provides clients with user activity analysis, precision marketing, financial risk control and location-based analysis;
- Umeng, which the lawsuit says claims to be the leading provider of mobile app analytics in China and was acquired by Alibaba Group in 2013;
- UMSNS, a data collection firm whose website UMSNS.com is operated by Alibaba Cloud Computing and is not accessible outside China, according to the lawsuit.
The three companies store Premom app users’ data set on servers located in China, where it’s at risk of being seized by the government, the lawsuit alleges.
Prior to its launch, Easy Healthcare coded into the Premom app software the ability for these Chinese entities to access Premom app users’ personal information and location data, according to the lawsuit.
Easy Healthcare shared the users’ data without their knowledge or consent, while the app vendor received remuneration with the three Chinese companies, lawsuit alleges. Such conduct by Easy Healthcare “is an unfair, immoral, and unscrupulous business practice,” the complaint adds, alleging fraud, breach of contract, unjust enrichment, and violations of Illinois Consumer Fraud & Deceptive Business Practices Act.
“If any of these three Chinese entities have their data ‘hacked’ by parties with nefarious intentions, it is possible that neither [Easy Healthcare] nor the Chinese entities are under any obligation from state or federal laws to report said data violations to any Premom users,” the lawsuit alleges.
Among the user information sent from the Premom app to the Chinese companies are “persistent identifiers” that tend not to change over time,” the lawsuit claims.
“Combining persistent identifiers with information about where it was observed allows a data collector to reconstruct an individual’s activities,” the complaint alleges.
The lawsuit says that the persistent identifiers the Easy Healthcare app shared with companies in China included:
- Wi-Fi media access control, or MAC - a unique identifier assigned to a network interface controller.
- Router MAC, also called BSSID address, which provide geographical location information and is also not resettable without modifying hardware.
- Router SSID, or Service Set ID - the technical term for a Wi-Fi network name.
Seeking Damages, Change
The lawsuit seeks damages and a court order requiring the company to stop sharing any Premom app user’s data with any third party without consent.
An attorney representing Easy Healthcare tells Information Security Media Group: “The allegations are without merit, and Easy Healthcare is confident it will prevail. Easy Healthcare is dedicated to the privacy and protection of its users above all, and will continue to dedicate its efforts to its central mission of helping women achieve their fertility goals.”
If the allegations are accurate, "the extent and scope of the information collected and shared is breathtaking - and not necessary to carry out the services offered," says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., which is not involved in the lawsuit.
The lawsuit comes after seven U.S. senators, sent a letter to the FTC in August asking the agency to examine the data collection and sharing practices of the Premom mobile.
The lawmakers’ letter noted that a recent investigation from the watchdog group International Digital Accountability Council “indicated that Premom may have engaged in deceptive consumer data collection and processing, and that there may be material differences between Premom’s stated privacy policies and its actual data sharing practices.”
The letter said that investigation “found that Premom shared its users’ data without their consent … with three third-party advertising companies based in China … including non-resettable unique user device identifiers that can be used to build profiles of consumer behavior.”
The letter also notes: “Users of the Premom app were not given the option to opt out of sharing their personal data with these advertising companies.”
An FTC spokeswoman declined to comment on the case.
Last month, the FTC issued a proposed settlement in a similar privacy and security case involving another women’s health app maker, Flo Health.
The vendor agreed to a major revamp of its privacy practices after the commission alleged it violated the FTC Act by misrepresenting to millions of women how it shared their sensitive health data with third-party analytics firms.
Regulatory attorney Ashley Thomas of the law firm Morris, Manning & Martin LLP, says these kinds of cases could be a catalyst for the adoption of a national privacy law.
“Now that we have a new administration and new congressional session, there is the real potential we could get a new comprehensive data privacy law that would address data collection of this nature,” she says.