Read the original article here.
10/14/20
By Jake Holland and Andrea Vittorio
State attorneys general investigating mobile fertility apps for possible privacy violations are examining whether operators shared user data and if they disclosed that to users.
The probes are underway as a growing number of women in the U.S. use mobile fertility apps to try to conceive, and in the process they enter sensitive data into the app, including menstruation cycles, sexual activity, and hormonal treatments.
The Health Insurance Portability and Accountability Act largely doesn’t cover the apps, and many privacy policies are opaque, leaving women in the dark about where their data is going and who has access to it.
Attorneys general in Connecticut, Illinois, and Washington, D.C. are conducting probes after a tech watchdog found Premom, a popular digital ovulation tracker, had sent user information to third parties overseas.
“With an app or service, people have an expectation that their information is not being shared with third parties,” said Jeremy Pearlman, head of privacy and data security for Connecticut Attorney General William Tong (D). “That’s material to their decision of using the app, and if it’s not adequately disclosed or not disclosed at all, we want to scrutinize that.”
Washington, D.C.’s investigation concerns user location data allegedly being sent to third parties without permission, said Ben Wiseman, director of consumer protection for Attorney General Karl Racine (D).
“When companies make misrepresentations or fail to disclose how their products are impacting consumers, it violates our laws,” Wiseman said.
Jen, a 37-year-old from Northern Virginia who spoke on the condition that her last name not be used for privacy reasons, said she used Premom for about a year before she heard the news that it had reportedly shared personal data with Chinese app developers and analytics providers. She deleted the app immediately.
“It went straight off my phone,” she said. “It was such a gross overreach.”
Premom did not share any user information with any third parties, said Desiree Moore, an attorney for K&L Gates in Chicago who acts as legal counsel for the company. Premom previously used two Chinese companies’ software development kits for the limited purpose of incorporating certain functionality into the application, Moore said.
“Premom is also committed to limiting its use of any analytical or other tools provided by third parties that do not comport with Premom’s internal privacy standards and practices, and as information about those third party tools evolves,” she said.
Privacy Practices
The attorneys general started looking into Premom after the nonprofit International Digital Accountability Council disclosed its research showing the app, owned by Easy Healthcare Corp., appeared to be sharing geolocation data and device identifiers without user consent, contradicting the company’s own privacy policies.
“We were concerned that there was a difference between what they were telling users and what they were doing in terms of data transmission,” said the council’s president, Quentin Palfrey.
The council sent its findings to the attorney general in Illinois, where Premom is based, and to the Federal Trade Commission. The Illinois attorney general’s office is “looking into this,” according to a spokeswoman. She encouraged consumers to file any complaints with the office.
Connecticut’s Pearlman said the office couldn’t comment on any facts it has collected so far in its investigation, which began in August. D.C.’s Wiseman also declined to comment on what Racine has found so far.
A bipartisan group of senators led by Amy Klobuchar (D-Minn.) wrote to FTC chairman Joe Simons in late August raising privacy concerns with Premom. An FTC spokeswoman confirmed that the agency received the letter but declined to comment on whether it’s investigating.
Outside HIPAA
Another fertility tracker, Glow Inc., settled a probe by California’s attorney general in September over privacy and security lapses in its app. As part of the settlement, Glow must consider how potential risks to the data its app collects could affect women.
Going on maternity leave to have children could have negative effects on women’s careers, so data used for getting pregnant could be especially sensitive, said Ashley Thomas, an attorney at Morris, Manning, & Martin LLP who advises tech startups in the space. “That’s the unique thing with women’s health,” she said.
Even though fertility apps are gathering health data, they’re not covered by privacy protections in the Health Insurance Portability and Accountability Act, said Jordan Luke, an attorney with Bradley Arant Boult Cummings LLP in Nashville. That’s because HIPAA applies to covered entities including health plans, clearinghouses, and providers, and generally not mobile apps, she said.
“The data could be used in a lot of different ways, including targeted advertising,” Luke said. “A more nefarious use would be if an employer or an insurer secured the data and could practice pregnancy discrimination.”
Though many privacy policies say data may be shared with third parties, it’s difficult or impossible to know who’s getting that information or how it’s being used, Luke said.
Dianne Bourque, a healthcare attorney at Mintz Levin in Boston, said as mobile health apps grow more commonplace, companies should adopt industry best practices even if not legally necessary.
“Developers and providers should want to meet HIPAA standards so they know they have a good product,” Bourque said. “As consumers get smarter, the industry needs to get smarter, too.”
Glow, which declined to comment for this story, says on its website that its app is HIPAA compliant, earning a seal of verification from the Accountable HQ Inc. platform. Glow’s CEO Mike Huang said in an earlier statement on settling the California probe that the company “promptly implemented patches for the unintended vulnerabilities” and “found no evidence that any user information had been compromised.”
Data Security Questioned
Mobile health apps often have security flaws that traditional health care providers may not, said Bill Horne, vice president and general manager of Intertrust Secure Systems.
Apps can be reverse-engineered and information can be more easily leaked than at health care institutions, which generally store information at a physically secured data center, he said.
“Privacy is important, but what about if hackers get that information?” Horne said. “People don’t want their information shared, but when you add hackers into the mix, it becomes much more adversarial.”
Luke, the Bradley attorney, said women looking to use these apps should weigh their utility against potential privacy concerns, even if there’s “no full-proof” way to ensure data is safe.
“What would you be okay with being out there?” she said. “Everybody has a different level of concern with this type of information.”
Jen, the former Premom user, said she has multiple fertility tracking apps on her phone. She likes their convenience compared to pen-and-paper tracking and can input data points including ovulation cycles and medical testing information, she said.
The apps make it easier for her to share data when she meets with her doctor, Jen said. But she said she’s aware of the privacy and security implications.
“If it says the app is free, you’re the product that’s being sold,” Jen said. “There’s a cost.”