HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Fertility App Provider Sued for Sharing User Data with Chinese Firms Without Consent

A lawsuit has been filed against Burr Ridge, IL-based Easy Healthcare Corp. over the alleged sharing of sensitive user data with third-party firms based in China without user consent.

Easy Healthcare Corp is the developer of Premom, a popular smartphone fertility app for tracking users’ ovulation cycles to identify their most fertile days. The lawsuit alleges a range of sensitive user data has been shared with at least three Chinese companies without obtaining users’ consent. Since the data is stored on servers in China, the lawsuit alleges sensitive information could potentially be accessed or seized by the Chinese government.

The data transmitted to the Chinese companies includes sensitive healthcare information, geolocation data, user and advertiser IDs, device activity data, and device hardware identifiers. Since the identifiers do not change, combining them with information where it was observed would allow data collectors to reconstruct app users’ activities.

Identifiers shared with the Chinese firms include Wi-Fi media access controls or MAC addresses, which are unique identifiers for network interface controllers; router MAC/BSSID addresses, which provide geographical location data; and router SSID (Service Set IDs), which provide information about Wi-Fi networks. It is also possible for information to be gathered about users interests, health, political views, religion, and other sensitive data.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit alleges user data was sent to Jiguang (Aurora Mobile Ltd), Umeng, and UMSNS, which provide activity analysis, precision marketing, financial risk control, and location-based analysis services to their clients.

According to the lawsuit, the Premom privacy policy states, “We will not share or sell your personal data to advertising platforms, data brokers, or information resellers,” so the sharing of the data is in direct violation of those policies. While the privacy policy does state that non-identifiable user data may be collected, users are told that the information would not be shared with outside parties without user consent.

The plaintiff discovered that her personal data had been shared with the three Chinese companies for three years without her knowledge or consent. She claims to have been deceived by Easy Healthcare as she was not informed that her data would be provided to the Chinese entities. The lawsuit also alleges Easy Healthcare shared the data in exchange for monetary compensation and that the firm has been misrepresenting its data sharing practices, in what the lawsuit says is “an unfair, immoral, and unscrupulous business practice.” The lawsuit also claims user data is recorded whenever users unlock or use their phone, even if they are not using the app, which is in violation of Google Play’s developer policies.

The lawsuit was filed a few months after a bipartisan group of senators wrote to the Federal Trade Commission (FTC) to request an investigation of the data security and privacy practices of the Premom app, following the discovery of unauthorized data sharing by the watchdog group International Digital Accountability Council.

The lawsuit was filed in the US Northern District Court of Illinois, Eastern Division and seeks class action status and damages for app users. The lawsuit also calls for Easy Healthcare to stop sharing user data with companies without first obtaining consent from app users. Easy Healthcare has denied any wrongdoing.

Premom is not the only health app found to be sharing user data without obtaining informed consent from app users. The FTC settled a data privacy and security case with Flo Health in January 2021 after it was discovered to have misrepresented privacy practices for its fertility app and shared user data with a data analytics company without consent. Flo Health was ordered to review and revise its privacy policies and obtain consent from app users prior to sharing their data.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.