Easy Healthcare Agrees to Compliance Settlement in FTC, AG Privacy Case

Easy Healthcare will make “significant changes” to its ovulation tracking app, Premom, to ensure data isn’t shared with third parties, said Washington, D.C., Attorney General Brian Schwalb (D) in a Wednesday news release announcing the healthcare company’s voluntary compliance settlement with the FTC and the AGs of Connecticut and Oregon.

The assurance is a “good faith settlement” between the AGs’ claims and Easy Healthcare for the company’s sharing of personal information with third parties through its fertility-based Premom ovulation tracker mobile app without users’ consent, said the document, consented and agreed to by Easy Healthcare CEO Xiaolin Liu March 27. The company denies the allegations and any wrongdoing and entered into the assurance “for settlement purposes only and solely to avoid the time and expense associated with litigation," Liu said.

Under the assurance, Easy Healthcare will comply with consumer protection and personal information protection laws in connection with its collection, maintenance and safeguarding of personal information, Liu said. The company won’t make any misrepresentations about the extent to which it maintains and protects the confidentiality or security of personal information in its collection, consumers’ ability to control the privacy of their information, availability of information to third parties, or what it did to protect it, said the document.

Easy Healthcare won’t store, use, disclose or permit collection of personal information in any manner that’s incompatible with the specified purpose for which it's collected, said the assurance. Nothing about specific safeguards of the privacy program will preclude the company from using personal information for a “permissible secondary purpose,” including internal research to improve a product or targeted advertising “consistent with the provisions of this Assurance,” it said.

Within 60 days, Easy Healthcare will implement a comprehensive information privacy program for the collection, storage, use and disclosure of personal information, the assurance said. The company won’t collect personal information “except for a specified, legitimate” and necessary purpose, and it won’t disclose health information to third parties without first obtaining affirmative express consent in response to a notice that clearly and conspicuously states the categories of information to be disclosed, it said. It also agreed not to disclose location information without affirmative express consent.

Before collecting personal information and disclosing it to third parties, Easy Healthcare will implement a due diligence selection process capable of safeguarding personal information, Liu said. The company will verify privacy policies of service providers and third parties and only select ones with policies available on their website homepages or that are otherwise easily accessible by consumers, he said. The company will allow consumers to revoke previously granted affirmative express consent for disclosure of their health or location information, and it will provide an easily accessible method to do so within 45 days of receipt of the request, said the assurance.

In a separate privacy case, DOJ sued (docket 1:23-cv-03107) Easy Healthcare Wednesday in U.S. District Court for Northern Illinois in Chicago for violation of the FTC Act alleging “unfair or deceptive acts or practices in or affecting commerce.” Claims include privacy misrepresentation in disclosing health information and sharing data with third parties; third parties’ use of shared data; deceptive failure to disclose geolocation information with third parties and their use of shared data; unfair sharing of health information for advertising without express consent; and violation of the Health Breach Notification Rule.

Consumers “are suffering, have suffered, and will continue to suffer substantial injury as a result of Defendant’s violations of the FTC Act,” said DOJ. It seeks a permanent injunction to prevent future violations, plus monetary civil penalties for each violation of the Health Breach Notification Rule.

DOJ proposed a settlement to avoid "the time and expense of litigation," it said in a statement of reasons for settlement accompanying a motion for entry of stipulated order for permanent injunction, civil penalty judgment and other relief. The statement imposes a $100,000 civil penalty judgment and provides for “robust injunctive relief,” including banning Easy Healthcare from sharing certain types of information, requiring it to implement a privacy and security compliance program and maintaining “effective means” to ensure future compliance.