The Department of Justice, together with the Federal Trade Commission (FTC), today announced that the government has obtained substantial injunctive relief protecting consumer privacy against Easy Healthcare Corporation (Easy Healthcare), an Illinois corporation located in Burr Ridge, Illinois, pursuant to a stipulated order entered by a federal court today. The department also will collect $100,000 in civil penalties from the defendants, an amount based upon the defendant’s ability to pay.
In a complaint filed in the U.S. District Court for the Northern District of Illinois, the United States alleged that Easy Healthcare violated Section 5 of the FTC Act, 15 U.S.C. § 45, and the Health Breach Notification Rule (HBNR), 16 C.F.R. § 318, in connection with its ovulation and period tracking mobile application. The complaint alleges that Easy Healthcare engaged in deceptive and unfair acts by: (1) sharing persistent identifiers of consumers (unique markers that allow the identification of consumers’ online activity or mobile devices) without user notice or consent and sharing sensitive personal health information with certain third-party companies in violation of its privacy promises; (2) failing to disclose to users how those third-parties could use such personal information, including for third-party advertising; and (3) failing to take reasonable measures to assess and address the privacy and data security risks created by incorporating third-party software into its application. The complaint also alleges that Easy Healthcare violated the HBNR through its ongoing failure to notify its users, the FTC, and the media of the unauthorized disclosures of user information.
The order entered by the court today requires Easy Healthcare to implement a comprehensive privacy and data security program with safeguards to protect consumer data. The order also requires Easy Healthcare to hire an independent third-party to regularly assess its compliance with the privacy program for a period of 20 years. Easy Healthcare also is enjoined from sharing health information with third-parties for advertising purposes, from sharing health information with third-parties for other purposes without obtaining users’ affirmative express consent, and from making misrepresentations about Easy Healthcare’s privacy practices. In addition, Easy Healthcare is required to comply with the HBNR’s notification provisions in any future breach of Security.
“The Department of Justice will not hesitate to pursue and hold accountable companies that fail to protect consumers’ privacy by sharing consumers’ private medical and other personal information and failing to notify consumers when such information has been made available to third-parties,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The department is committed to protecting the public from companies that do not safeguard the privacy of consumers’ medical and other personal data as required by law.”
“Premom broke its promises and compromised consumers’ privacy,” said Director Samuel Levine of the FTC’s Bureau of Consumer Protection. “We will vigorously enforce the Health Breach Notification Rule to defend consumer's health data from exploitation. Companies collecting this information should be aware that the FTC will not tolerate health privacy abuses.”
This matter is being handled by Rachel Baron and Claude Scott of the Civil Division’s Consumer Protection Branch and David Walko and Ronnie Solomon of the FTC.