We are here to help. Visit our Coronavirus (COVID-19) Task Force Resource Center for the latest developments and legal updates.

We are here to help. Visit our Coronavirus (COVID-19) Task Force Resource Center for the latest developments and legal updates.

Morris Manning & Martin, LLP

FTC Orders Health App Vendor to Revamp Privacy Practices

01.14.2021

The Federal Trade Commission announcement this week of a proposed health data privacy settlement with Flo Health, a fertility-tracking mobile app vendor, illustrates how the agency can play a critical role in helping ensure data not regulated under HIPAA is protected.

The Wilmington, Delaware-based app vendor has agreed to a major revamp of its privacy practices under a proposed settlement with the FTC. The commission alleged the startup company violated the FTC Act by misrepresenting to millions of women how it shared their sensitive health data with third-party analytics firms.

Under the proposed settlement, which will be finalized after a public comment period, Flo Health must get app users' consent before sharing their health information. It also must obtain an independent review of its privacy practices.

The FTC alleges that the developer of the period- and fertility-tracking app used by more than 100 million consumers shared the health information of users with data analytics providers, including Facebook and Google, after promising users that such information would be kept private.

"By encouraging millions of women to input extensive information about their bodies and mental and physical health, [Flo Health] has collected personal information about consumers, including name, email address, date of birth, place of residence, dates of menstrual cycles, when pregnancies started and ended, menstrual- and pregnancy-related symptoms, weight and temperature," the FTC says in its complaint against the company.

MMM's Ashley Thomas says the proposed FTC settlement might not be the only regulatory action against Flo Health and that there could always be the potential that a European Data Protection Authority hears about it or receives a complaint from a consumer, and the European DPA could take action to investigate the company's General Data Protection Regulation (GDPR) compliance.

Read the full article at Healthcare Info Security