The 21st Century digital age has provided women with numerous sexual and reproductive health tools that track periods, ovulation, and pregnancy. By simply plugging certain health data inputs into these apps, women can now accurately track the most intimate moments of their lives. But is this sensitive health information secure?
Recent activity by the FTC suggests that some of them may not be:
- On May 18, 2023, the FTC proposed amendments to strengthen and modernize the Health Breach Notification Rule specifically clarifying that it is applicable to health apps and similar technologies which are not covered by HIPAA. We’ve previously written on this topic here.
- On May 17, 2023, the FTC settled an enforcement action against Easy Healthcare Corporation, the developer of the Premom ovulation tracker app. The FTC alleged that Premom broke its privacy promises to consumers by disclosing user’s sensitive health data to Google and AppsFlyer and by sharing other personal information with two firms in China.
- On June 22, 2021, the FTC finalized a settlement with Flo Health, Inc., another fertility tracking app, requiring it to obtain affirmative consent of users before sharing their personal health information with third parties.
Therefore, with the FTC actively scrutinizing reproductive health apps, developers of these apps should be re-examining their app’s data collection process, data usage practices, and data retention timeline. Moreover, just as importantly, developers should ensure that the representations about their data practices that they make to the women who use them are accurate, especially following last year’s U.S. Supreme Court decision in Dobbs v. Jackson, overruling Roe v. Wade. Some of the data collected by these reproductive health apps is highly sensitive, and may include many of the following data points: phone numbers, emails, postal addresses, gender, device ID, IP address, menstrual cycle length, date of last menstrual period, sexual activity, pregnancy due dates, doctor’s appointments, and pregnancy symptoms. This type of data (and the app developers that hold it) may be targeted by certain states that have banned abortions since the Dobbs decision was issued on June 24, 2022.
Following Dobbs, at least 4 states have enacted laws that criminalize abortion care. Therefore, the unauthorized disclosure of reproductive health data stored on these health apps may not only jeopardize a woman’s privacy but could also now risk her (and/or her provider’s) liberty too. Following the enactment of the Texas “bounty hunter” statute in 2021 (where private citizens can file a civil lawsuit to obtain $10,000.00 in damages against anyone who knowingly aids and abets an abortion in Texas), it is not difficult to envision law enforcement officers requesting this health information to prosecute women and their health care providers in states where abortion is now illegal. Unfortunately, App developers that hold sensitive reproductive health care data could find themselves in the middle of this battle.
Currently, many reproductive health apps have privacy policies that are unclear or that do not detail how each company uses the data it collects, how long such data is kept, and how users can delete it from the app. Further, many of these apps don’t have clear guidelines on when and how much user data will be shared with law enforcement.
For all of these reasons, reproductive health app developers should update their privacy policies to more clearly identify what happens to data inputted into the app, whether it is shared with third parties and under what circumstances, how and for how long it is stored, how it can be deleted, and the specific circumstances under which it might be disclosed to law enforcement and whether notice will be provided to the app user prior to such disclosure.