The Federal Trade Commission has issued a proposed order to settle charges that online counseling service BetterHelp revealed consumers’ sensitive data with third parties such as Facebook and Snapchat for advertising after promising to keep such data private.

UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF ILLINOIS

BRIAN M. BOYNTON
Principal Deputy Assistant Attorney General
Civil Division

ARUN G. RAO
Deputy Assistant Attorney General

AMANDA N. LISKAMM
Director

LISA K. HSIAO
Assistant Director

RACHEL E. BARON
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice
Civil Division

UNITED STATES OF AMERICA, Plaintiff, v. EASY HEALTHCARE CORPORATION, a corporation, d/b/a EASY HEALTHCARE, Defendant

Case No. 1:23-cv-3107

COMPLAINT FOR PERMANENT INJUNCTION, CIVIL PENALTY JUDGMENT, AND OTHER RELIEF

Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission (“FTC”), pursuant to Section 16(a)(1) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 56(a)(1), for its Complaint alleges:

• Plaintiff brings this action under Sections 5(a)(1), 5(m)(1)(A), 13(b), 16(a)(1), and 19 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 45(a)(1), 45(m)(1)(A), 53(b), 56(a)(1), 57b, which authorize the Plaintiff to seek, and the Court to order, permanent injunctive relief, civil penalties, and other relief for Defendant’s acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), and in violation of the Health Breach Notification Rule (the “Rule” or the “HBNR”), 16 C.F.R. § 318.

SUMMARY OF THE CASE

• Defendant Easy Healthcare Corporation (“Defendant” or “Easy Healthcare”) has developed, advertised, and distributed a mobile application (“app”) called the Premom Ovulation Tracker (“Premom”) that allows users to input and track various types of personal and health information. For example, users can log information about their periods and fertility and upload pictures of ovulation test strips that the app can analyze to attempt to predict the user’s next ovulation cycle. Defendant also designed Premom to permit users to import their health data from other devices or apps.

• Hundreds of thousands of women have downloaded and used Premom, giving Defendant access to their mobile phones and their health information and other personal data. Between 2017 and 2020, Defendant repeatedly and falsely promised Premom users in their privacy policies that Defendant:

  • (a) would not share health information with third parties without users’ knowledge or consent;
  • (b) to the extent Defendant collected and shared any information, it was non-identifiable data; and
  • (c) the data was used only for Defendant’s own analytics or advertising. Further, its privacy policies over time promised that Defendant would otherwise notify and obtain consent from users before using its users’ data for any other purposes.

• These representations were false or deceptive. Since 2018, Defendant has shared Premom users’ identifiable health information with Google, LLC (“Google”) and marketing firm AppsFlyer Inc. (“AppsFlyer”). This sharing was contrary to Defendant’s promises to users and thus constitutes a breach of unsecured health information that requires notice to Premom users under the Health Breach Notification Rule. Because Defendant has not provided timely and proper notice to consumers, the FTC, or the media of this sharing, Defendant is in violation of the FTC Act and the Health Breach Notification Rule.

• In addition to sharing users’ sensitive health information with Google and AppsFlyer, between 2018 and 2020, Defendant shared users’ sensitive, identifiable data with foreign mobile analytics companies Jiguang (also known as Aurora Mobile Ltd.) and Umeng. Defendant took no action to limit what these companies could do with their users’ information. Rather, it merely agreed to each company’s standard terms of service, all of which gave these companies broad latitude to use the data as they saw fit, including for advertising.

• Defendant continued to share users’ sensitive, identifiable data with Jiguang and Umeng, while promising privacy to its users, until the summer of 2020. At that time, the Google Play Store informed Defendant that its transfer of data to Umeng violated the Play Store policies, and separately the Washington Post reached out to Defendant for comment related to an article detailing their data practices.

• In addition to making these false and deceptive representations to consumers, Defendant failed to implement reasonable privacy and data security measures. Because of these failures, Defendant shared Premom users’ data with third parties in violation of Section 5 of the FTC Act and failed to provide notice to consumers, the FTC, and the media of a breach of unsecured health information in violation of the Health Breach Notification Rule.

JURISDICTION AND VENUE

• This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331, 1337(a), and 1345.

• Venue is proper in this District under 28 U.S.C. §§ 1391(b)(1), (b)(2), (c)(1), (c)(2), and (d), and 15 U.S.C. § 53(b).

DEFENDANT

• Defendant Easy Healthcare Corporation (“Easy Healthcare”) is an Illinois corporation with its principal office or place of business at 360 Shore Dr. Unit B, Burr Ridge, IL 60527. Easy Healthcare transacts or has transacted business in this District and throughout the United States. Easy Healthcare has developed and published Premom, an app that functions as an ovulation tracker, period tracker, and pregnancy resource for those who are trying to conceive.

COMMERCE

• At all times relevant to this Complaint, Defendant has maintained a substantial course of trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.

THE PREMOM APP

• At all times relevant to this Complaint, Defendant has developed, advertised, and distributed Premom, which functions as an ovulation tracker, period tracker, and pregnancy resource for those who are trying to conceive.

• Since at least 2017, Defendant has made Premom available to users for free download from the Apple App Store and the Google Play Store. In the product description on the Google Play Store, Defendant has described Premom as “the most accurate and reliable period tracker, ovulation calculator, and fertility calendar” and “the only fertility tracker and ovulation app that offers a pregnancy guarantee to help women who are trying to conceive (TTC) make their baby dreams come true.” Hundreds of thousands of users have downloaded and used Premom.

• Premom is designed to be used with ovulation test strips, which Easy Healthcare also produces and sells. Defendant’s ovulation test kits have consistently ranked as a number one best seller on Amazon.com, and the test kits encourage purchasers to download the Premom app.

• Defendant encourages women trying to conceive to upload pictures of ovulation tests and input large amounts of health information into the app. Premom’s description in the Apple App Store states: “Track your symptoms and activities - period, moods, sex, sleep, cervix mucus, and more.” Defendant further states in its Google Play Store description that “Our automatic ovulation test reader with ovulation test kits (OPK), offers optimized fertility predictions you can trust.” For instance, while using the app, Premom asks users to input the dates they started their periods and upload results of progesterone tests.

• In Premom’s description in the Google Play Store and Apple App Store, Defendant further encourages women to connect Premom to third-party apps and products so that Premom can import health information from those apps or products. Specifically, Premom users can import their body temperatures, along with the date and time that the temperature is taken, from the Apple Health app. Users can also import their body temperatures from thermometers that connect to Premom via Bluetooth.

• Through Premom, Defendant has collected extensive sensitive personal health information about consumers, including dates of menstrual cycles, temperatures, pregnancy and fertility status, whether and when pregnancies started and ended, weight, progesterone and other hormone results, and pregnancy-related symptoms. Defendant also tells users that they can infer other facts about their health from this information, such as whether they suffer from conditions like Polycystic Ovary Syndrome or hormonal imbalances.

DEFENDANT MADE DECEPTIVE REPRESENTATIONS AND OMISSIONS ABOUT ITS INFORMATION COLLECTION, SHARING, AND USE PRACTICES

• Since 2017, Defendant repeatedly falsely promised Premom users in their in-app and website privacy policies that Defendant:

  • Would not share health information with third parties.
  • To the extent Defendant collected and shared any information, it was non-identifiable data.
  • The data was used only for Defendant’s own analytics or advertising.

• First, between April 2019 and September 2020, Defendant repeatedly stated in multiple in-app privacy policies that it would not share any health information with third parties without user consent. For example, in a privacy policy dated July 7, 2020, Defendant stated in a paragraph set off from other paragraphs: “WE PROMISE WE WILL NEVER SHARE YOUR EXACT AGE OR ANY DATA RELATED TO YOUR HEALTH WITH ANY THIRD PARTIES WITHOUT YOUR CONSENT OR KNOWLEDGE.”

• Second, since at least December 13, 2021, Defendant has stated in their in-app and website privacy policy that “Premom uses AppsFlyer, a mobile marketing platform based in the United States, to handle non-health Personal Data” and that “third-party services do not have access to your health information through the Services unless you share that information directly with them.”

• Third, Defendant also represented that it would share only “non-identifiable data” with third parties. Between May 2017 and July 2020, Premom’s privacy policy posted on its website represented that it collected and shared Premom users’ “nonidentifiable information for purposes of tracking analytics of the usage of [its] application.” Premom’s privacy policy represented that its use of third-party analytics software and software development kits “identifies a user solely by IP address.”

• Fourth, when a user wanted to connect a Bluetooth thermometer to Premom, Defendant prompted users with the following statement: “Please allow Premom to access your location and turn on the GPS for Bluetooth so it can find your thermometer” and asked users to “Allow Premom to access this device’s location?” However, Defendant did not disclose in this prompt that it shared Premom users’ location information with third parties.

• Finally, Defendant represented that Premom users’ data would be used only for Defendant’s own analytics and advertising. Between May 2017 and July 2020, the privacy policy posted on Premom’s website stated that it collected users’ data to “[c]ustomize, measure and improve our services, content and advertising,” and to “[e]valuate your use, preferences and trends for our own internal statistical and analytical purposes which we may use for marketing purposes. . . .” Defendant further represented that it “will not use your personal information for any purposes, other than those outlined in” Defendant’s privacy policy or terms of service.

• As described below, each of these representations or omissions made by Defendant was false or misleading.

DEFENDANT SHARED PREMOM USERS’ HEALTH INFORMATION THROUGH CUSTOM APP EVENTS

• Defendant integrated into the Premom app software development tools, known as software development kits (“SDKs”), from numerous third-party marketing and analytics firms. These SDKs provide functions for Defendant, such as enabling Defendant to track and analyze Premom users’ interactions with Premom. By integrating these SDKs into Premom, Defendant would transfer its app users’ data to the publisher of each SDK.

• In fact, Defendant has incorporated SDKs from Google and AppsFlyer into the Premom app and disclosed health information to them through “Custom App Events.”

• Defendant tracks “Standard App Events,” which are records of routine app functions, such as launching or closing the app, as well as “Custom App Events,” which are records of user-app interactions unique to Premom. For example, when a user uploads a picture of an ovulation test, Defendant records the user’s interaction with that feature as a Custom App Event that is shared with Google and AppsFlyer.

• Rather than giving its Custom App Events anonymous names, Defendant chooses descriptive titles that convey health information about Premom users. For example, when a user opens Premom’s calendar and logs her fertility, Defendant records the Custom App Event as “Calendar/Report/LogFertility.” When a user signs up for Defendant’s pregnancy guarantee, which promises to refund a Premom user’s purchases of their ovulation and pregnancy test kits if a user does not successfully conceive within nine months of using Premom, Defendant records the Custom App Event as “Guarantee/signup.” And when a user logs and saves information related to her period, Defendant records the Custom App Event as “Log period-save.” Defendant chose other descriptive titles such as “Signup/Birth” and “Ovulation/Static/Success.”

• By sharing these Custom App Events with either AppsFlyer or Google, Defendant consequently conveyed information about users’ fertility and pregnancies.

• By including sensitive health information in the titles of the Custom App Events it has shared through third-party SDKs, Defendant has conveyed the health information of hundreds of thousands of users to these third parties for years. Through these SDKs, Defendant has also collected and shared Premom users’ unique advertising or device identifiers. As described below in Paragraphs 36 through 38, third parties can use device identifiers to track consumers across the internet and apps, and eventually—through their own lists or by using a third-party service—match these identifiers to an actual person. Ultimately, this could allow these third parties to associate these fertility and pregnancy Custom App Events to a specific individual.

• Defendant’s transfers of these Custom App Events directly contradict Defendant’s statements in their privacy policies that it would not share health information with third parties without users’ knowledge or consent.

• Defendant has never provided notice to Premom users of these unauthorized disclosures.

DEFENDANT SHARED CONSUMERS IDENTIFIABLE INFORMATION WITH THIRD PARTIES

• Despite their assertions between 2018 and 2020 that their analytics software “identifies a user solely by IP address” and that it shared only non-identifiable data with third parties, Defendant—through the use of SDKs—collected and shared more than IP addresses, including information that could be used to identify Premom’s users and disclose to third parties that these users were utilizing a fertility app.

• Over various time periods since 2018, Defendant has incorporated into Premom the SDKs of, inter alia, Umeng, a Chinese mobile app analytics provider owned by the Chinese technology conglomerate Alibaba, and Jiguang, a Chinese mobile developer and analytics provider. Specifically, Defendant integrated U-Share and JPush, the SDKs marketed by Umeng and Jiguang respectively, into Premom.

• Through the U-Share SDK, Defendant shared social media account information of Premom users with Umeng. By incorporating U-Share into Premom and sharing Premom users’ social account information to Umeng, Defendant shared sensitive data that identifies its users.

• Furthermore, the U-Share and JPush SDKs collected extensive amounts of other identifiable data on Premom’s users and transmitted it to Umeng and Jiguang, including:

  • Resettable identifiers such as Android ID and Android Advertising ID—which are a combination of numbers and letters assigned by a mobile phone to a user that can be used for targeted advertising—and phone Wi-Fi Media Access Control (MAC) addresses, which are identifiers for devices on a network.
  • Non-resettable identifiers, such as:
    • Hardware Identification (HWID) and International Mobile Equipment Identity (IMEI) numbers—which are a set of numbers and letters that are unique and identify a computer or mobile phone.
    • Router, Bluetooth, and Wi-Fi Media Access Control (MAC) addresses—which are unique numbers hardcoded to those devices—of devices on the network to which Premom users connected.
    • Router Service Set Identifiers (SSIDs)—which are the names of your wireless network—and Bluetooth names—which contain identifying information, such as “Baker Family Wifi” or “Robert’s Phone.”
  • Precise geolocation information—including Global Positioning System (GPS) coordinates information.

• Companies can track consumers across the internet and devices via these resettable and non-resettable identifiers. A company can use these identifiers to track a consumer across apps and devices, and to collect other information about them that, in combination with these identifiers, can be used to identify particular individuals. Notably, non-resettable device identifiers, such as a device’s IMEI, are hardcoded to the device or network and, as a result, consumers concerned about tracking cannot disassociate themselves from their previous tracking history. Once a non-resettable identifier is linked to a consumer, that consumer cannot disassociate from the identifier without incurring great costs, such as needing to acquire a new phone or Wi-Fi router. In contrast, resettable identifiers permit consumers concerned about tracking to disassociate themselves from their previous tracking history by resetting the advertising identifier in either Apple’s iOS or Google’s Android settings. In doing so, the consumer would receive a new advertising identifier.

• For example, through an SDK, a third party may receive information that a consumer with an advertising ID X12345 and an IMEI ABC6789 used the Premom app. Later, that same third party may receive information that a consumer with an IMEI ABC6789 also used an app for weight loss. And sometime later, that same third party may receive information that a consumer with an advertising ID X12345 is using a smoking cessation app. The third party now knows that the same consumer (with an advertising ID X12345 and IMEI ABC6789) used a fertility app, a weight loss app, and a smoking cessation app. And while a consumer can disassociate themselves from advertising ID X12345, they cannot disassociate themselves from IMEI ABC6789 without purchasing a new mobile device.

• Through the use of matching lists or through third-party services, a third-party can link these identifiers to a real person. Many surveillance advertising businesses specialize in tracking consumers’ devices, collecting information on consumers, and identifying the consumer behind the device using this data, as well as connecting that consumer to other devices. Non-resettable identifiers are particularly important to the surveillance advertising industry. So, if a consumer provides their name in connection with an app that collects such resettable and non-resettable identifiers, or logs in to a major platform that shares such identifying information, then a third-party surveillance company or data broker can connect such identifiers to a person’s name or identifying information. As such, a third party may learn that a user associated with advertising ID X12345 and IMEI ABC6789 is actually Jane Doe, and thereafter, the third party will know that Jane Doe uses Premom, a weight loss app, and a smoking cessation app.

• In addition, when device identifiers are associated with precise geolocation data, the data becomes even more identifiable. With only a few location signals and a device identifier, third parties can identify a consumer’s home address and identify other sensitive information about consumers, such as a consumer’s healthcare provider or place of work. As such, through data shared through an SDK, a third party may learn that the user associated with advertising ID X12345 and IMEI ABC6789 spends every evening at 123 Main St., and thereafter, the third party will know that Jane Doe uses Premom, a weight loss app, and a smoking cessation app, and lives at 123 Main St.

• In addition to violating their promises to consumers, Defendant’s contracts with Umeng and Jiguang and sharing of this information with Umeng and Jiguang violated Apple and Google policies. Jiguang disclosed in its privacy policy that Jiguang collected Wi-Fi MAC addresses, and Defendant reviewed and agreed to Jiguang’s privacy policy before incorporating the JPush SDK. Both Apple and Google contractually prohibit application developers from correlating, or syncing, the device advertising identifier with other identifiers, and from allowing third parties to obtain the advertising identifier via the application. Apple specifically forbids the collection of non-resettable device identifiers. Similarly, Google’s Developer Policies state that in order to “protect user privacy,” the Android Advertising ID “must not be connected to personally-identifiable information or associated with any persistent device identifier . . . without explicit consent of the user,” and it restricts “access to MAC addresses.” Typically, only a privileged app (e.g., a pre-installed app) can have access to the Wi-Fi MAC address. However, the JPush SDK circumvented Android’s privacy controls and exploited a known bug in order to acquire Premom users’ Wi-Fi MAC addresses.

• Defendant did not just share sensitive, identifiable data with Umeng and Jiguang; it also knew that Umeng and Jiguang could use this data for their own business purposes or could transfer the data to additional third parties, and failed to disclose this information to Premom users. In fact, prior to incorporating each of these SDKs, Defendant reviewed and agreed to Umeng’s and Jiguang’s terms of service and privacy policies. Each terms of service and privacy policy allowed these third parties to use and share Premom users’ information for any of their own business purposes, including advertising. Since at least 2019, Umeng’s privacy policies have stated that Umeng has the right to use data collected through U-Share for advertising purposes and transfer the data to its advertising and media partners. Likewise, since at least 2019, Jiguang’s privacy policies have also stated that Jiguang may share the data collected through the “JPush” SDK with third parties.

• Defendant never disclosed to Premom users that Jiguang could share data collected through the JPush SDK with third parties. Additionally, until July 2020, Defendant did not disclose that Umeng could share Premom user data with its partners. Defendant only made such a disclosure regarding Umeng after Google notified Defendant that their use of U-Share violated Google Play Store policies.

• Altogether, the collection and sharing of the mobile device identifiers, and in particular the non-resettable identifiers described in Paragraphs 31 to 38, 40, and 41, enables third parties to circumvent operating system privacy controls, track individuals, infer the identity of an individual user, and ultimately associate the use of a fertility app to that user. The collection of social media account information described in Paragraph 34 also enables third parties to identify individual users and associate the use of a fertility app to that user. This directly contradicted Defendant’s statements in their privacy policies that it would identify “a user solely by IP address” and share only “non-identifiable data” with third parties.

• When Defendant sought Premom users’ permission to access their location in order to pair a Bluetooth thermometer, as described in Paragraph 22, it failed to disclose that it collected and shared precise geolocation information with Umeng and Jiguang, as described in Paragraph 35. Nor did Defendant disclose that Umeng and Jiguang could use and transfer this information for their own purposes, such as third-party advertising.

• In addition, by providing data to third parties that explicitly reserved the right to use such data for third-party advertising, Defendant directly contradicted its own statements that it would use Premom users’ data only for their own analytics and advertising.

DEFENDANT FAILED TO IMPLEMENT REASONABLE PRIVACY AND DATA SECURITY MEASURES

• Defendant failed to take reasonable measures to assess and address privacy risks to user information while creating and maintaining Premom. For example:

  • Defendant failed to adequately assess the privacy risks of third-party SDKs prior to incorporating those SDKs into Premom.
  • Defendant failed to monitor changes in the privacy policies and terms and conditions of the SDK publishers as those publishers changed their data collection practices and updated their policies and terms; failed to engage in any audits, assessments, compliance reviews, or tests—including any tests to determine what data was transferred to third parties—regarding the data collection and privacy practices of the third-party publishers whose SDKs it incorporated into Premom; and failed to update their privacy practices to reflect changes that affected Premom users’ data.
  • Defendant failed to enforce or ensure compliance with their own privacy promises to consumers by, for example, failing to establish or enforce any internal privacy compliance programs, protocols, or policies, such as relating to data sharing and third-party SDKs.
  • Defendant failed to develop policies regarding the secure implementation of third-party SDKs, including policies that ensured that the implementation of third-party SDKs complied with Defendant’s privacy promises and mobile app store policies and protected Premom users’ data and privacy.
  • Defendant failed to provide adequate privacy training for those employees responsible for incorporating and testing third-party SDKs.

• As a result of these privacy failures, Defendant failed to encrypt or label its Custom App Events to prevent the transfer of Premom users’ health information to Google and AppsFlyer.

• In addition, as a result of these privacy failures, Defendant did not take steps to address Jiguang’s and Umeng’s collection of multiple mobile device identifiers of their users or investigate the purposes for which Jiguang and Umeng collected this data, as described above. Defendant failed to take reasonable measures to assess and address data security risks created by third-party SDKs incorporated into Premom. Specifically, JPush fails to encrypt adequately Premom users’ sensitive information. When JPush transferred users’ information to Jiguang’s servers outside the United States, JPush both utilized a non-standard encryption method and included the decryption key in the transfer. As a result of these practices, any third party who acquired this data, including foreign governments or bad actors, could decrypt and access Premom users’ sensitive data, including precise geolocation information and non-resettable identifiers described above.

Consumer Injury

• As a further result of these privacy and data security failures, consumers suffered both increased risks of harm and actual harm. Among other harms:

  • Users’ sensitive device identifiers, including non-resettable identifiers, and other identifiable data were sent with inadequate encryption or similar protective measures to third parties outside the United States, subjecting this data and information to potential interception and/or seizure by bad actors and foreign governments.
  • Users’ sensitive, non-resettable device identifiers and identifiable data were transferred to third parties, without users’ knowledge or consent, for the purpose of third-party advertising. The transfer of non-resettable device identifiers and identifiable data enabled these third parties to target and track users in a way that circumvented users’ operating system privacy controls, without users’ knowledge or consent.
  • Users’ health information has been shared with third parties, without users’ authorization. Defendant’s sharing of Premom users’ Custom App Events and persistent identifiers has revealed highly sensitive and private details about their users. This has led to the unauthorized disclosure of facts about individuals’ sexual and reproductive health, parental and pregnancy status, as well as other information about individuals’ physical health conditions and status. Disclosure of this information without authorization is likely to cause Premom users stigma, embarrassment, or emotional distress, and may also affect their ability to obtain or retain employment, housing, health insurance, disability insurance, or other services. Moreover, it has increased the risk of further unauthorized disclosures.

• Consumers had no way of independently knowing about Defendant’s privacy and data security failures and could not reasonably have avoided possible harms from such failures.

DEFENDANT VIOLATED THE HEALTH BREACH NOTIFICATION RULE

• Congress enacted the American Recovery and Reinvestment Act of 2009, which directed the FTC to promulgate a rule requiring vendors of personal health records and related entities that collect healthcare information to provide notice to consumers and the FTC following a breach of security.

• The FTC published a notice of proposed rulemaking on April 16, 2009, and promulgated the Rule and published supplementary information on August 17, 2009, under Section 13407 of the American Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 115 (2009). The Rule became effective on August 25, 2009, and companies became subject to FTC enforcement on February 22, 2010. Pursuant to Section 13407 of the American Recovery and Reinvestment Act of 2009, and section 18(a)(1)(B) of the FTC Act, 15 U.S.C. § 57a(a)(1)(B), a violation of the Rule constitutes an unfair or deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

• Among other things, the Rule requires vendors of personal health records (“PHR”) and PHR related entities to notify U.S. consumers and the FTC, and in some cases, the media, if they experience a breach of security.

• The Rule defines “breach of security” to mean “with respect to unsecured PHR identifiable health information of an individual in a personal health record, acquisition of such information without the authorization of the individual.” 16 C.F.R. § 318.2(a).

• The Rule defines “personal health record” to mean “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” 16 C.F.R. § 318.2(d).

• The Rule defines “PHR identifiable health information” to mean “‘individually identifiable health information,’ as defined in section 1171(6) of the Social Security Act (42 U.S.C. 1320d(6)), and, with respect to an individual, information:

  • (1) That is provided by or on behalf of the individual.
  • (2) That identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” 16 C.F.R. § 318.2(e).

• The Rule defines “vendor of personal health records” to mean “an entity, other than a HIPAA-covered entity or an entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that offers or maintains a personal health record.” 16 C.F.R. § 318.2(j).

• The Rule defines “unsecured” to mean with respect to PHR identifiable information, such information “that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in guidance issued under section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009. This guidance specifies that PHR identifiable information is protected when such information is “rendered unusable, unreadable, or indecipherable to unauthorized individuals” using technology such as encryption.

• Defendant is a vendor of personal health records under the Rule. Defendant offers Premom, which is a personal health record because Premom collects and receives PHR identifiable health information from multiple sources. As described in Paragraphs 14 to 17, Premom users input health information into the Premom app. Among other health information, a Premom user can upload a picture of an ovulation test, which Premom then analyzes to determine whether the user is ovulating. Premom also collects users’ health and non-health information from Bluetooth thermometers or third-party apps; for instance, a user can import from Apple Health her temperature and the date and time the temperature was taken. Moreover, as described in Paragraphs 13 to 17, Premom users manage and control the PHR identifiable health information held in the Premom app. Each individual Premom user decides whether to input health information into Premom and how many of Premom’s functions and services she will utilize.

• In numerous instances, beginning in at least 2017, Defendant, as “a vendor of personal health records,” experienced “breaches of security” of more than 500 consumers’ unsecured PHR identifiable health information through the disclosure, and subsequent acquisition of Custom App Event titles relaying such information, by third parties such as Google and AppsFlyer, without the authorization of Premom users. This PHR identifiable health information was unsecured. This information was transferred to third parties such as Google and AppsFlyer without the use of encryption or other means to render it unusable, unreadable, or indecipherable to unauthorized individuals because this information was sent as Custom App Event titles in plain text, as described in Paragraphs 26 to 28 above.

• Based on the facts and violations of law alleged in this Complaint, the FTC has reason to believe that Defendant is violating or is about to violate laws enforced by the Commission because, among other things, Defendant has shared PHR identifiable health information with third parties without obtaining Premom users’ authorization. Defendant’s violation of the Health Breach Notification Rule is ongoing. Defendant has not notified users, in accordance with the notification provisions of the Health Breach Notification Rule, that it breached the security of Premom users’ PHR identifiable health information through Premom’s unauthorized disclosures to Google and AppsFlyer.

• Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A), as modified by Section 4 of the Federal Civil Penalties Inflation Adjustment Act of 1990, 28 U.S.C. § 2461, the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, Public Law 114-74, sec. 701, 129 Stat. 599 (2015), and Section 1.98(d) of the FTC’s Rules of Practice, 16 C.F.R. § 1.98(d), authorizes this Court to award monetary civil penalties of not more than $46,517 for each knowing violation of the Rule.

• Defendant has violated the Rule with the knowledge required by Section 5(m)(1)(A) of the FTC Act, 15 U.S.C. § 45(m)(1)(A).

VIOLATIONS OF THE FTC ACT

• Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.”

• Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.

• Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).

COUNT I. Privacy Misrepresentation – Disclosures of Health Information

• In numerous instances, as alleged in Paragraphs 19 and 20, Defendant has represented, directly or indirectly, expressly or by implication, that it would not disclose, without consumers’ knowledge or consent, their health information to third parties, that AppsFlyer would not receive consumers’ health information, and that third-party services would not receive consumers’ health information unless the consumer shares the health information directly with them.

• In truth and fact, in numerous instances in which Defendant made the representations set forth in Paragraph 67, Defendant did disclose consumers’ health information to AppsFlyer and Google as set forth in Paragraphs 4 and 25 to 31.

• Therefore, Defendant’s representations as set forth in Paragraph 67 are false or misleading and constitute a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT II. Privacy Misrepresentation – Sharing Data with Third Parties

• In numerous instances, as alleged in Paragraph 21, Defendant represented, directly or indirectly, expressly or by implication, to consumers that Defendant shared only non-identifiable information with third parties and that these third parties tracked users only by IP address.

• In truth and fact, in numerous instances in which Defendant made the representations as set forth in Paragraph 70, Defendant did disclose identifiable information to third parties, which tracked users by means other than IP address. Namely, Defendant conveyed to third parties:

  • (1) Social media account information through the U-Share SDK.
  • (2) Device identifiers that could be used to identify users.
  • (3) Precise geolocation information as set forth in Paragraphs 5 to 6 and 33 to 41.

• Therefore, Defendant’s representations as set forth in Paragraph 70 are false and misleading and constitute a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT III. Deceptive Failure to Disclose – Sharing Geolocation Information with Third Parties

• In numerous instances, as alleged in Paragraph 22, Defendant represented, directly or indirectly, expressly or by implication, to consumers that consumers needed to turn on location sharing so that Premom could locate consumers’ Bluetooth thermometers.

• In numerous instances in which Defendant made the representations as set forth in Paragraph 73, Defendant failed to disclose, or failed to disclose adequately, that Defendant conveyed users’ geolocation information to Umeng and Jiguang, which Umeng and Jiguang could use and transfer for their own purposes, including third-party advertising. This additional information would be material to consumers in their decision to use Defendant’s services.

• In light of the representations set forth in Paragraph 73, Defendant’s failure to disclose the material information described in Paragraph 74 constitutes a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT IV. Privacy Misrepresentation – Third Parties’ Use of Shared Data

• In numerous instances, as alleged in Paragraph 23, Defendant represented, directly or indirectly, expressly or by implication, to consumers that Defendant would not use Premom users’ information for any purpose other than those outlined in Defendant’s privacy policies and terms of service.

• As alleged in Paragraph 23, Defendant further represented, directly or indirectly, expressly or by implication, to consumers that their data would be used and shared for Defendant’s own analytics and advertising.

• In truth and fact, in numerous instances in which Defendant made the representations as set forth in Paragraphs 76 and 77, Defendant’s representations were false or misleading. These representations were false or misleading because Defendant incorporated U-Share and JPush into Premom. By incorporating U-Share and JPush, Defendant conveyed users’ personal information to Umeng and Jiguang, which Umeng and Jiguang could use for their own purposes, such as third-party advertising as set forth in Paragraph 40.

• Therefore, Defendant’s representations as set forth in Paragraphs 76 and 77 are false and constitute a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT V. Deceptive Failure to Disclose – Third Parties’ Use of Shared Data

• In numerous instances, as alleged in Paragraph 23, Defendant represented, directly or indirectly, expressly or by implication, to consumers that their data would be used and shared for Defendant’s own analytics and advertising.

• In numerous instances in which Defendant made the representations set forth in Paragraph 80, Defendant failed to disclose, or failed to disclose adequately, that by incorporating U-Share and JPush into Premom, Defendant conveyed users’ personal information to Umeng and Jiguang, which Umeng and Jiguang could use and transfer for their own purposes, such as third-party advertising, as set forth in Paragraph 41. This additional information would be material to consumers in their decision to use Defendant’s services.

• In light of the representations set forth in Paragraph 80, Defendant’s failure to disclose the material information described in Paragraph 81 constitutes a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT VI. Unfair Privacy and Data Security Practices

• In numerous instances, as alleged in Paragraphs 46 to 48, Defendant failed to take reasonable measures to assess and address the privacy and data security risks created by third-party software it chose to incorporate into Premom.

• As described in Paragraphs 48 to 50, Defendant’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.

• Therefore, Defendant’s acts or practices as set forth in Paragraph 83 constitute unfair acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT VII. Unfair Sharing of Health Information for Advertising Purposes Without Affirmative Express Consent

• In numerous instances, as alleged in Paragraphs 26 to 29, 47, and 48, Defendant failed to encrypt or label Premom users’ Custom App Events to prevent the transfer of users’ personal health information to Google and AppsFlyer. Because Defendant failed to encrypt or label Premom users’ Custom App Events, Defendant transferred their users’ health information to third parties without users’ knowledge, and without providing users notice or obtaining users’ affirmative express consent.

• As described in Paragraphs 49 and 50, Defendant’s actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.

• Therefore, Defendant’s acts or practices as set forth in Paragraph 86 constitute an unfair act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

COUNT VIII. VIOLATION OF THE HEALTH BREACH NOTIFICATION RULE

16 C.F.R. § 318

• Defendant is a “vendor of personal health records,” as defined by Sections 318.2(d), 318.2(e), and 318.2(j) of the HBNR. 16 CFR §§ 318.2(d), (e), (j). Defendant is an entity, other than a HIPAA-covered entity, or an entity, to the extent that it engages in activities as a business associate of a HIPAA-covered entity, that maintains “an electronic record of PHR identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.” As described in Paragraphs 14 to 17, Premom draws health information from multiple sources. For instance, it allows users to input their own health information into Premom. Among other health information, a Premom user can upload a picture of an ovulation test, which Premom then analyzes to determine whether the user is ovulating. Premom also collects users’ health and non-health information from Bluetooth thermometers or third-party apps; for instance, a user can import from Apple Health her temperature and the date and time the temperature was taken. The information is managed, shared, or controlled by or primarily for the user. As described in Paragraphs 13 to 17, Premom allows users to manage and control the PHR identifiable health information held in the Premom app, and allows users to track their ovulation, menstruation, and other health information.

• In numerous instances, beginning in at least 2017, Defendant, as “a vendor of personal health records,” experienced “breaches of security” of more than 500 consumers’ unsecured PHR identifiable health information through the disclosure, and subsequent acquisition of Custom App Event titles relaying such information, by third parties such as Google and AppsFlyer, without the authorization of Premom users. This PHR identifiable health information was unsecured. This information was transferred to third parties such as Google and AppsFlyer without the use of encryption or other means to render it unusable, unreadable, or indecipherable to unauthorized individuals because this information was sent as Custom App Event titles in plain text, as described in Paragraphs 26 to 28 above.

• Defendant has failed to provide the required notifications, as prescribed by the HBNR, to:

  • (1) Individuals whose unsecured PHR identifiable health information was acquired by an unauthorized person.
  • (2) The Federal Trade Commission.
  • (3) Media outlets. 16 C.F.R. §§ 318.3–6.

• Pursuant to Section 13407(e) of the 2009 Recovery Act, and Section 318.7 of the HBNR, a violation of the HBNR constitutes an unfair or deceptive act or practice in or affecting commerce, in violation of Section 5(a) of the FTC Act. 42 U.S.C. § 17937(e); 16 CFR § 318.7; 15 U.S.C. §§ 45(a), 57a(d)(3).

• Therefore, Defendant’s acts or practices as set forth in Paragraphs 89 to 91 are deceptive and unfair acts or practices that violate Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

CONSUMER INJURY

• Consumers are suffering, have suffered, and will continue to suffer substantial injury as a result of Defendant’s violations of the FTC Act. Absent injunctive relief by this Court, Defendant is likely to continue to injure consumers and harm the public interest. Moreover, Defendant’s continued failure to notify consumers of its unauthorized disclosures, pursuant to the Health Breach Notification Rule, further harms users by depriving them of notice and an opportunity to mitigate the unauthorized disclosures, and any past, present, or future harm that may occur.

PRAYER FOR RELIEF

Wherefore, Plaintiff requests that the Court:

• Enter a permanent injunction to prevent future violations of the FTC Act and the Health Breach Notification Rule by Defendant.
• Award Plaintiff monetary civil penalties from Defendant for each violation of the Health Breach Notification Rule alleged in this Complaint.
• Award any additional relief as the Court determines to be just and proper.

Dated: May 17, 2023

OF COUNSEL

FOR THE FEDERAL TRADE COMMISSION:

• TIFFANY GEORGE
  Acting Assistant Director
  Division of Privacy and Identity Protection
  Federal Trade Commission
  600 Pennsylvania Avenue, N.W.
  (202) 326-2880
  (202) 326-3062 (fax)*

• DAVID WALKO
  Attorney
  Division of Privacy and Identity Protection
  Federal Trade Commission
  600 Pennsylvania Avenue, N.W.
  (202) 326-2098
  (202) 326-3062 (fax)*

FOR PLAINTIFF, THE UNITED STATES OF AMERICA:

• BRIAN M. BOYNTON
  Principal Deputy Assistant Attorney General
  Civil Division*

• ARUN G. RAO
  Deputy Assistant Attorney General*

• AMANDA N. LISKAMM
  Director*

• LISA K. HSIAO
  Assistant Director*

• RACHEL E. BARON
  Trial Attorney
  Consumer Protection Branch
  U.S. Department of Justice
  Civil Division
  450 Fifth Street NW
  Washington, D.C. 20530
  (202) 598-7719*

STIPULATED ORDER FOR PERMANENT INJUNCTION, CIVIL PENALTY JUDGMENT, AND OTHER RELIEF

Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission (“Commission”), filed its Complaint for Permanent Injunction, Civil Penalty Judgment, and Other Relief (“Complaint”), for a permanent injunction, civil penalties, and other relief in this matter, pursuant to Sections 13(b), 19, and 16(a)(1) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. §§ 53(b), 57b, and 56(a)(1). Plaintiff and Defendant stipulate to the entry of this Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Relief (“Order”) to resolve all matters in dispute in this action between them.

THEREFORE, IT IS ORDERED as follows:

FINDINGS

• This Court has jurisdiction over this matter.

• The Complaint charges that Defendant participated in deceptive and unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. § 45, and in violation of the Health Breach Notification Rule, 16 C.F.R. § 318.

• Defendant neither admits nor denies any of the allegations in the Complaint, except as specifically stated in this Order. Only for purposes of this action, Defendant admits the facts necessary to establish jurisdiction.

• Defendant waives any claim that it may have under the Equal Access to Justice Act, 28 U.S.C. § 2412, concerning the prosecution of this action through the date of this Order, and agrees to bear their own costs and attorney fees.

• Defendant and Plaintiff waive all rights to appeal or otherwise challenge or contest the validity of this Order.

DEFINITIONS

For the purpose of this Order, the following definitions apply:

• Affected Work Product means any models or algorithms developed in whole or in part using Covered Information collected from Covered Users.

• Affirmative Express Consent means any freely given, specific, informed, and unambiguous indication of an individual’s wishes demonstrating agreement by the individual, such as by a clear affirmative action, following a Clear and Conspicuous disclosure to the individual, apart from any “privacy policy,” “terms of service,” “terms of use,” or other similar document, of all information material to the provision of consent. Acceptance of a general or broad terms of use or similar document that contains descriptions of agreement by the individual along with other, unrelated information, does not constitute Affirmative Express Consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute Affirmative Express Consent. Likewise, agreement obtained through use of a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, does not constitute Affirmative Express Consent.

• App Event means any data disclosed to, or collected by, a third party via its Software Development Kit, application programming interface, pixel, or other method for tracking users’ interactions with Defendant’s services or products.

• Breach of Security means, with respect to Unsecured PHR Identifiable Health Information of an individual in a Personal Health Record, any acquisition of such information without the authorization of the individual. Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information unless the vendor of personal health records, PHR related entity, or third-party service provider that experienced the breach has reliable evidence showing that there has not been, or could not reasonably have been, unauthorized acquisition of such information.

• Clear and Conspicuous or Clearly and Conspicuously means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:

  • In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented.
  • A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
  • An audible disclosure, including by telephone or streaming video, must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
  • In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
  • The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the representation that requires the disclosure appears.
  • The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
  • The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
  • When the representation or sales practice targets a specific audience, such as children, the elderly, or the terminally ill, “ordinary consumers” includes reasonable members of that group.

• Covered Business means Defendant, any business that Defendant controls, directly or indirectly.

• Covered Incident means any instance of a violation of Section I, II, or III of this Order.

• Covered Information means information from or about an individual consumer including, but not limited to, Personal Information, Health Information, or PHR Identifiable Health Information.

• Covered User means any individual consumer who downloaded or used the Premom Ovulation Tracker mobile application.

• Defendant means Easy Healthcare Corporation, a corporation, also doing business as Easy Healthcare, and its successors and assigns.

• Delete, Deleted, or Deletion means to remove Covered Information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business.

• Health Care Provider means a provider of services (as defined in 42 U.S.C. § 1395x(u)), a provider of medical or other services (as defined in 42 U.S.C. § 1395x(s)), and any other person furnishing healthcare services or supplies.

• Health Information means medical records and other individually identifiable information relating to the past, present, or future physical or mental health or conditions of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. It includes, but is not limited to, information concerning fertility, menstruation, sexual activity, pregnancy, and childbirth. It also includes any individually identifiable information relating to health that is derived or extrapolated from non-health information (e.g., proxy, derivative, inferred, emergent, or algorithmic data). Health Information includes PHR Identifiable Health Information, as defined below, and Health Information associated with Personal Information.

• Individually Identifiable Health Information means any information, including demographic information, collected from an individual that:

  • Is created or received by a Health Care Provider, health plan, employer, or health care clearinghouse; and
  • Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and:
    • Identifies the individual; or
    • With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

• Location Information means any data that reveals a mobile device’s or consumer’s precise location, including but not limited to Global Positioning System (GPS) coordinates, fine or coarse location data, cell tower information, or location information inferred from basic service set identifiers (BSSIDs), WiFi Service Set Identifiers (SSID) information, or Bluetooth receiver information, and any data combined with such data. Data that reveals only a mobile device or consumer’s general location (e.g., zip code or location with a precision of one kilometer or more) is not Location Information.

• Personal Health Record means an electronic record of PHR Identifiable Health Information on an individual that can be drawn from multiple sources and is managed, shared, and controlled by or primarily for the individual.

• Personal Information means any individually identifiable information about an individual collected online, including:

  • A first and last name;
  • A home or physical address, including street name and name of city or town;
  • Location Information;
  • Online contact information, such as an email address or other similar identifier that permits direct contact with a person online;
  • A screen or user name where it functions in the same manner as online contact information;
  • A telephone number;
  • A government-issued identification number;
  • Credit card or other financial account information;
  • A persistent identifier, such as a customer number, mobile device ID, or IP address; or
  • Any information combined with any of the above.

• PHR Identifiable Health Information means Individually Identifiable Health Information, and information provided by or on behalf of the individual that identifies the individual or where there is a reasonable basis to believe that the information can be used to identify the individual.

• Software Development Kit means the code necessary to integrate a Third Party’s software—including advertisements—into an application, website, or other online service.

• Third Party or Third Parties means any individual or entity other than:

  • Defendant;
  • A service provider of Defendant that:
    • Uses or receives Covered Information collected by or on behalf of Defendant for and at the direction of the Defendant;
    • Does not disclose the data, or any individually identifiable information derived from such data, to any individual or entity other than Defendant or a subcontractor to such service provider bound to data processing terms no less restrictive than terms to which the service provider is bound; and
    • Does not use the data for any other purpose; or
  • Any entity that uses Covered Information only as reasonably necessary:
    • To comply with applicable law, regulation, or legal process;
    • To enforce Defendant’s terms of use; or
    • To detect, prevent, or mitigate fraud or security vulnerabilities.

• Unsecured means PHR Identifiable Health Information that is not protected through the use of a technology or methodology specified by the Secretary of Health and Human Services in the guidance issued under section 13402(h)(2) of the American Reinvestment and Recovery Act of 2009, 42 U.S.C. § 17932(h)(2).

ORDER

I. BAN ON DISCLOSURE OF HEALTH INFORMATION FOR ADVERTISING PURPOSES

IT IS ORDERED that:

• Defendant; Defendant’s officers, agents, employees, and attorneys; and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, are permanently restrained and enjoined from disclosing Health Information to Third Parties for Advertising Purposes.

• For purposes of this Section, Advertising Purposes means advertising, marketing, promoting, offering, offering for sale, or selling any products or services on, by, or through Third Party websites, Third Party mobile applications, or Third Party services. Advertising Purposes shall not include:

  • Reporting and analytics related to understanding advertising and advertising effectiveness, such as statistical reporting, traffic analysis, understanding the number and type of ads served, or conversion measurement, provided that any Third Party reporting or analytics service is restricted from using any Covered Information received from or provided to Defendant for any purpose other than to provide the reporting and analytics services to Defendant.
  • Communications, services, or products requested by a consumer that are sent by Defendant directly to the consumer, such as Defendant texting, emailing, or mailing a consumer, or showing content on Defendant’s own properties to a consumer.
  • Contextual advertising, meaning non-personalized advertising shown as part of a consumer’s current interaction with Defendant’s websites or mobile applications, provided that the consumer’s Covered Information is not disclosed to a Third Party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with Defendant’s websites or mobile applications.

II. PROHIBITION AGAINST MISREPRESENTATIONS

IT IS FURTHER ORDERED that Defendant; Defendant’s officers, agents, employees, and attorneys; and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with advertising, marketing, promoting, offering, offering for sale, or selling any product or service, are permanently restrained and enjoined from misrepresenting or assisting others, in any manner, expressly or by implication:

• The extent to which they collect, maintain, use, disclose, or permit access to any Covered Information, or protect the privacy, confidentiality, security, or integrity of any Covered Information.

• The extent to which the Covered Business collects, maintains, uses, discloses, deletes, or permits or denies access to any Covered Information, or the extent to which the Covered Business protects the availability, confidentiality, or integrity of any Covered Information.

• The purposes for which the Covered Business, or any entity to whom the Covered Business discloses or permits access to Covered Information, collects, maintains, uses, discloses, or permits access to any Covered Information.

• The extent to which a consumer can maintain privacy and anonymity associated with the consumer’s use of products or services offered by Covered Businesses.

• The extent to which consumers may exercise control over the Covered Business’s collection of, maintenance of, use of, deletion of, disclosure of, or permission of access to Covered Information, and the steps a consumer must take to implement such controls.

• The extent to which the Covered Business otherwise protects the privacy, security, availability, confidentiality, or integrity of Covered Information.

III. PROHIBITION AGAINST DISCLOSURE OF HEALTH INFORMATION WITHOUT AFFIRMATIVE EXPRESS CONSENT AND NOTICE

IT IS FURTHER ORDERED that:

• Defendant; Defendant’s officers, agents, employees, and attorneys; and all other persons in active concert or participation with any of them, who receive actual notice of this Order, in connection with any product or service, are permanently restrained and enjoined from disclosing Health Information to Third Parties for non-Advertising Purposes, without first obtaining Affirmative Express Consent.

• For purposes of this Section, Advertising Purposes means advertising, marketing, promoting, offering, offering for sale, or selling any products or services on, by, or through Third Party websites, Third Party mobile applications, or Third Party services. Advertising Purposes shall not include:

  • Reporting and analytics related to understanding advertising and advertising effectiveness, such as statistical reporting, traffic analysis, understanding the number of and type of ads served, or conversion measurement, provided that any Third Party reporting or analytics services are restricted from using any Covered Information received from or provided to Defendant for any purpose other than to provide the reporting and analytics services to Defendant.
  • Communications, services, or products requested by a consumer that are sent by Defendant directly to the consumer, such as Defendant texting, emailing, or mailing a consumer, or showing content on Defendant’s own properties to a consumer.
  • Contextual advertising, meaning non-personalized advertising shown as part of a consumer’s current interaction with Defendant’s websites or mobile applications, provided that the consumer’s Covered Information is not disclosed to a Third Party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with Defendant’s websites or mobile applications.

• When obtaining Affirmative Express Consent required under this Section, Defendant must provide notice Clearly and Conspicuously that states the categories of Health Information that will be disclosed to Third Parties, the identities of such Third Parties, all purposes for Defendant’s disclosures of such Health Information, what the Third Party is permitted to do with the Health Information, and whether or not any of the Health Information is protected under federal or state laws, including HIPAA or the California Consumer Privacy Act.

IV. HEALTH BREACH NOTIFICATIONS

IT IS FURTHER ORDERED that:

• Defendant, for any Covered Business, following the discovery of a Breach of Security of Unsecured PHR Identifiable Health Information that is in a Personal Health Record maintained or offered by any Covered Business (including, but not limited to, the Premom Ovulation Tracker mobile application), shall:

  • Notify each individual who is a citizen or resident of the United States whose Unsecured PHR Identifiable Health Information was acquired by an unauthorized person as a result of such Breach of Security.

  • Notify the Federal Trade Commission.

  • Notify prominent media outlets in a state or jurisdiction if the Unsecured PHR Identifiable Health Information of five hundred (500) or more residents of such state or jurisdiction is, or is reasonably believed to have been, acquired during such Breach of Security.

• For the purposes of this Section, a Breach of Security shall be treated as discovered as of the first day on which such breach is known or reasonably should have been known to Defendant. Defendant shall be deemed to have knowledge of a Breach of Security if such breach is known, or reasonably should have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of Defendant.

• Except as otherwise provided, all notifications to individuals or the media required under this Section shall be sent without unreasonable delay and in no case later than sixty (60) calendar days after the discovery. If a law enforcement official determines that a notification, notice, or posting required under this Section would impede a criminal investigation or cause damage to national security, such notification, notice, or posting shall be delayed. This Subsection shall be implemented in the same manner as provided under 45 CFR 164.528(a)(2), in the case of a disclosure covered under such section.

• Defendant providing notice under Subsection IV.A.1 shall do so by providing it in the following form:

  • Written notice, by first-class mail to the individual at the last known address of the individual, or by email or within-application messaging, if the individual is given a clear, conspicuous, and reasonable opportunity to receive notification by first-class mail, and the individual does not exercise that choice. If the individual is deceased, Defendant must provide such notice to the next of kin of the individual if the individual had provided contact information for their next of kin, along with authorization to contact them. The notice may be provided in one or more mailings as information is available.

  • If, after making reasonable efforts to contact all individuals to whom notice is required under Subsection IV.A.1 through the means provided in Subsection IV.D.1, Defendant finds that contact information for ten (10) or more individuals is insufficient or out-of-date, Defendant shall provide substitute notice, which shall be reasonably calculated to reach the individuals affected by the Breach of Security, in the following form:

    • Through a conspicuous posting for a period of ninety (90) days on the home page of its website.
    • In major print or broadcast media, including major media in geographic areas where the individuals affected by the Breach of Security likely reside. Such a notice in media or web posting shall include a toll-free phone number, which shall remain active for at least ninety (90) days, where an individual can learn whether or not the individual’s PHR Identifiable Health Information may be included in the Breach of Security.

  • In any case deemed by Defendant to require urgency because of possible imminent misuse of Unsecured PHR Identifiable Health Information, Defendant may provide information to individuals by telephone or other means, as appropriate, in addition to notice provided under Subsection IV.E.1.

• Defendant shall, in accordance with Subsection IV.A.2, provide notice to the Federal Trade Commission following the discovery of a Breach of Security. If the Breach of Security involves the Unsecured PHR Identifiable Health Information of five hundred (500) or more individuals, then such notice shall be provided as soon as possible and in no case later than ten (10) business days following the date of discovery of the Breach of Security. If the Breach of Security involves the Unsecured PHR Identifiable Health Information of fewer than five hundred (500) individuals, Defendant may maintain a log of any such Breach of Security and submit such a log annually to the Federal Trade Commission no later than sixty (60) calendar days following the end of the calendar year, documenting Breaches of Security from the preceding calendar year. Unless otherwise directed by a Commission representative in writing, Defendant must submit all notices and logs required under this Subsection to DEbrief@ftc.gov or send by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “U.S. v. Easy Healthcare Corporation.”

• Regardless of the method by which notice is provided to individuals, the Federal Trade Commission, or the media under this Section, notice of a Breach of Security shall be in plain language and include, to the extent possible, the following:

  • A brief description of what happened, including the date of the Breach of Security and the date of the discovery of the Breach of Security, if known.

  • A description of the types of PHR Identifiable Health Information that were involved in the Breach of Security (such as full name, Social Security number, date of birth, home address, account number, or disability code).

  • Steps individuals should take to protect themselves from potential harm resulting from the Breach of Security.

  • A brief description of what the entity that suffered the Breach of Security is doing to investigate the breach, mitigate harm, and protect against any further breaches.

  • Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an email address, website, or postal address.

V. NOTICE TO USERS

IT IS FURTHER ORDERED that, within twenty-eight (28) days of entry of this Order, Defendant shall post Clearly and Conspicuously on the home page of Defendant’s websites (healthcare-manager.com; premom.com) and the home screen of Defendant’s mobile application (Premom Ovulation Tracker), a link to an exact copy of the notice attached hereto as Exhibit A ("Notice"). Defendant must leave this Notice in place for six (6) months after posting it. Defendant must also email the Notice to Covered Users that downloaded and used Premom from November 2017 to August 2022. However, if Defendant does not have email information for any such Covered User, Defendant must send the Notice to that Covered User through Defendant’s primary means of communicating with that Covered User (such as a notification within Defendant’s mobile application). Defendant shall not include any other information, documents, or attachments with the Notice.

VI. DELETION OF COVERED INFORMATION

IT IS FURTHER ORDERED that, within forty-five (45) days of entry of this Order:

• Defendant must:

  • Identify all Third Parties that received Covered Information of Covered Users from Defendant in any form, including hashed or encrypted Covered Information. Identify the Covered Information of Covered Users received, provide a copy of the Complaint and Order to all Third Parties that received Covered Information, and notify all such Third Parties in writing that the Federal Trade Commission alleged that Defendant disclosed Covered Information of Covered Users in a manner that was unfair or deceptive and in violation of the FTC Act.

  • Instruct Jiguang and Umeng to Delete all Covered Information received from Defendant of Covered Users that downloaded and used the Premom Ovulation Tracker mobile application from November 2017 through August 2020 and demand written confirmation that all Covered Information has been deleted. Instruct AppsFlyer, Inc. and Google LLC to Delete all Health Information collected respectively through the AppsFlyer SDK or the Google Analytics for Firebase SDK of Covered Users that downloaded and used Premom from November 2017 through August 2022 and demand written confirmation that all the Health Information of such Covered Users has been deleted.

• Defendant’s instruction to each such Third Party under Subsection A shall include a description of the Covered Information or Health Information, as relevant, of Covered Users shared with the Third Party during the relevant time period. Defendant must provide all instructions sent to the Third Parties to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “United States v. Easy Healthcare Corporation.”

• Defendant shall not disclose any Covered Information in any form, including hashed or encrypted Covered Information, to any Third Party identified in Subsection A above until Defendant confirms each Third Party’s receipt of the instructions required by Subsection A above. Defendant must provide all receipts of confirmation and any responses from Third Parties within five (5) days of receipt to: DEbrief@ftc.gov or send by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “United States v. Easy Healthcare Corporation.”

• Defendant shall not use any Third Party identified in Subsection A above to advertise, market, promote, offer, offer for sale, or sell any product or service until Defendant confirms each Third Party’s receipt of the instructions required by Subsection A above.

VII. MANDATED PRIVACY AND INFORMATION SECURITY PROGRAM

IT IS FURTHER ORDERED that any Covered Business, in connection with the collection, maintenance, use, disclosure of, or provision of access to Covered Information, must, within sixty (60) days of entry of this Order, establish and implement, and thereafter maintain, a comprehensive privacy and information security program ("Program") that protects the privacy, security, availability, confidentiality, and integrity of such Covered Information. To satisfy this requirement, Defendant must, at a minimum:

• Document in writing the content, implementation, and maintenance of the Program.

• Provide the written program and any evaluations thereof or updates thereto to each Covered Business’s board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of the Covered Business responsible for the Covered Business’s Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident.

• Designate a qualified employee or employees, who report(s) directly to the Chief Executive Officer(s) or, in the event a Chief Executive Officer role does not exist, a similarly-situated executive, to coordinate and be responsible for the Program. Keep the Chief Executive Officer(s) and Board of Directors informed of the Program, including all actions and procedures implemented to comply with the requirements of this Order, and any actions and procedures to be implemented to ensure continued compliance with this Order.

• Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, internal and external risks in each area of the Covered Business’s operations to the privacy, security, availability, confidentiality, and integrity of Covered Information that could result in the unauthorized access, collection, use, destruction, or disclosure of, or provision of access to, Covered Information.

• Design, implement, maintain, and document safeguards that control for the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information identified by each Covered Business in response to Subsection VII.D. Each safeguard must be based on the volume and sensitivity of the Covered Information that is at risk and the likelihood that the risk could be realized and result in unauthorized access, collection, use, destruction, or disclosure of, or provision of access to, the Covered Information. Such safeguards must also include:

  • Policies, procedures, and technical measures to systematically inventory Covered Information in the Covered Business’s control and delete Covered Information that is no longer necessary to fulfill the purpose for which the Covered Information was collected.

  • Policies, procedures, and technical measures to prevent the collection, maintenance, use, or disclosure of, or provision of access to, Covered Information inconsistent with the Covered Business’s representations to consumers.

  • Audits, assessments, and reviews of the contracts, privacy policies, and terms of service associated with any Third Party to which each Covered Business discloses or provides access to Covered Information.

  • Policies, procedures, and controls to ensure the Covered Business complies with Sections I-IV above.

  • Policies and technical measures that limit employee and contractor access to Covered Information to only those employees and contractors with a legitimate business need to access such Covered Information.

  • Mandatory privacy training programs for all employees on at least an annual basis, updated to address the collection, use, and disclosure of Covered Information; any internal or external risks identified by each Covered Business in Subsection VII.D and safeguards implemented pursuant to Subsection VII.E, including training on the requirements of this Order.

  • A data retention policy that, at a minimum, includes:

    • A retention schedule that limits the retention of Covered Information for only as long as is reasonably necessary to fulfill the purpose for which the Covered Information was collected; provided, however, that such Covered Information need not be destroyed and may be disclosed to the extent requested by a government agency or required by law, regulation, or court order.

    • A requirement that each Covered Business document, adhere to, and make publicly available in its privacy policy a retention schedule for Covered Information, setting forth: (1) the purposes for which such information is collected; (2) the specific business need for retaining each type of Covered Information; and (3) a set timeframe for deletion of each type of Covered Information (absent any intervening deletion requests from consumers) that precludes indefinite retention of any such Covered Information.

  • Audits, assessments, reviews, or testing of Software Development Kits, and their associated Third Parties, to which each Covered Business shares or provides access to Covered Information of any Covered User.

  • For each product or service offered by any Covered Business, Clearly and Conspicuously disclose the categories of Covered Information collected from Covered Users, the purposes for the collection of each category of such Covered Information, and any transfers of such Covered Information to Third Parties. For each such transfer of Covered Information, such disclosure must, at a minimum, include:

    • The specific categories of Covered Information transferred.

    • The identity and specific category of the recipient Third Party of each such transfer.

    • The purposes for which the Covered Business transferred the Covered Information.

    • The purposes for which each recipient Third Party of Covered Information could use such Covered Information, including but not limited to the purposes for which each recipient reserves the right to use such Covered Information.

    • Whether each recipient Third Party of such transfer of Covered Information reserves the right to transfer such Covered Information to other parties.

• Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, availability, confidentiality, and integrity of Covered Information, and modify the Program based on the results.

• Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, and modify the Program based on the results.

• Select and retain service providers capable of safeguarding Covered Information it receives from the Covered Business, and contractually require service providers to implement and maintain safeguards sufficient to address the internal and external risks to the privacy, security, availability, confidentiality, or integrity of Covered Information.

• Evaluate and adjust the Program in light of any material changes to each Covered Business’s operations or business arrangements, the results of the testing and monitoring required by Subsection VII.F, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in Subsection VII.D, and any other circumstances that the Covered Business knows or has reason to believe may have a material impact on the effectiveness of the Program or any of its individual safeguards. The Covered Business may make this evaluation and adjustment to the Program at any time, but must, at a minimum, evaluate the Program at least once every twelve (12) months and modify the Program as necessary based on the results.

VIII. PRIVACY AND INFORMATION SECURITY ASSESSMENT BY A THIRD PARTY

IT IS FURTHER ORDERED that, in connection with compliance with Section VII, for any Covered Business that collects, maintains, uses, discloses, or provides access to Covered Information, Defendant must obtain initial and biennial assessments ("Assessments"):

• The Assessments must be obtained from one or more qualified, objective, independent third-party professionals ("Assessor(s)") who:

  • Use procedures and standards generally accepted in the profession.
  • Conduct an independent review of the Program.
  • Retain all documents relevant to each Assessment for five (5) years after completion of such Assessment.
  • Will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. No documents may be withheld on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory exemption, or any similar claim. Defendant may obtain separate assessments for privacy and information security from multiple Assessors, so long as each of the Assessors meets the qualifications set forth above. The Assessor(s) must have a minimum of three (3) years of experience in the field of privacy and data protection.

• For each Assessment, Defendant must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director shall have the authority to approve in his or her sole discretion.

• The reporting period for the Assessments must cover:

  • The first one-hundred-and-eighty (180) days after the Privacy and Information Security Program required by Section VII has been put in place for the initial Assessment.
  • Each two (2) year period thereafter for twenty (20) years after the entry of this Order for the biennial Assessment.

• Each Assessment must, for the entire assessment period:

  • Determine whether Defendant has implemented and maintained the Program required by Section VII.
  • Assess the effectiveness of Defendant’s implementation and maintenance of Subsections VII.A-I.
  • Identify any gaps or weaknesses in the Program or instances of material non-compliance with Subsections VII.A-I.
  • Address the status of gaps or weaknesses in the Program, as well as any instances of material non-compliance with Subsections VII.A-I, that were identified in any prior Assessment required by this Order.
  • Identify specific evidence (including, but not limited to, documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is:
    • Appropriate for assessing an enterprise of Defendant’s size, complexity, and risk profile.
    • Sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely solely on assertions or attestations by Defendant, Defendant’s management, or a Covered Business’s management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Program and did not rely solely on assertions or attestations by Defendant, Defendant’s management or a Covered Business’s management, and state the number of hours that each member of the Assessor’s assessment team worked on the Assessment.
    • To the extent Defendant revises, updates, or adds one or more safeguards required under Section VII.E in the middle of an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.

• Each Assessment must be completed within ninety (90) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Defendant must submit the initial Assessment to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “United States v. Easy Healthcare Corporation.” All subsequent biennial Assessments must be retained by Defendant until the Order is terminated and provided to the Associate Director for Enforcement within ten (10) days of request.

IX. COOPERATION WITH ASSESSOR(S)

IT IS FURTHER ORDERED that Defendant, whether acting directly or indirectly, in connection with the Assessments required by Section VIII, must:

• Provide or otherwise make available to the Assessor(s) all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege.

• Provide or otherwise make available to the Assessor(s) information about all Covered Information in Defendant’s custody or control that is relevant to the Assessment, so that the Assessor(s) can determine the scope of the Assessment.

• Disclose all material facts to the Assessor(s), and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s:

  • Determination of whether Defendant has implemented and maintained the Program required by Section VII.
  • Assessment of the effectiveness of the implementation and maintenance of Subsections VII.A-I.
  • Identification of any gaps or weaknesses in, or instances of material noncompliance with, the Program required by Section VII.

X. ANNUAL CERTIFICATION

IT IS FURTHER ORDERED that Defendant must:

• One (1) year after the entry of this Order, and each year thereafter for twenty (20) years, provide the Commission with a certification from Defendant, for each Covered Business, that:

  • The Covered Business has established, implemented, and maintained the requirements of this Order.
  • The Covered Business is not aware of any material noncompliance that has not been:
    • Corrected, or
    • Disclosed to the Commission.
  • Includes a brief description of any Covered Incident. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.

• Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, D.C. 20580. The subject line must begin, “United States v. Easy Healthcare Corporation.”

XI. COVERED INCIDENT REPORTS

IT IS FURTHER ORDERED that Defendant, for any Covered Business, within thirty (30) days after Defendant’s discovery of a Covered Incident, must submit a report to the Commission, unless the Covered Incident also constitutes a Breach of Security involving the Unsecured PHR Identifiable Health Information of 500 or more individuals and therefore requires notice under Section IV of this Order. The report must include, to the extent possible:

• The date, estimated date, or estimated date range when the Covered Incident occurred.
• A description of the facts relating to the Covered Incident, including the causes and scope of the Covered Incident, if known.
• The number of consumers whose information was affected.
• The acts that Defendant has taken to date to remediate the Covered Incident, protect Covered Information from further disclosure, exposure, or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident.
• A representative copy of any materially different notice sent by Defendant to consumers or to any U.S. federal, state, or local government entity.

Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “United States v. Easy Healthcare Corporation.”

XII. MONETARY JUDGMENT FOR CIVIL PENALTY

IT IS FURTHER ORDERED that:

• Judgment in the amount of one hundred thousand dollars ($100,000) is entered in favor of Plaintiff against Defendant, jointly and severally, as a civil penalty.

• Defendant is ordered to pay to Plaintiff, by making payment to the Treasurer of the United States, one hundred thousand dollars ($100,000), which, as Defendant stipulates, its undersigned counsel holds in escrow for no purpose other than payment to Plaintiff. Such payment must be made within seven (7) days of entry of this Order by electronic fund transfer in accordance with instructions previously provided by a representative of Plaintiff.

XIII. ADDITIONAL MONETARY PROVISIONS

IT IS FURTHER ORDERED that:

• Defendant relinquishes dominion and all legal and equitable right, title, and interest in all assets transferred pursuant to this Order and may not seek the return of any assets.
• The facts alleged in the Complaint will be taken as true, without further proof, in any subsequent civil litigation by or on behalf of the Commission in a proceeding to enforce its rights to any payment or monetary judgment pursuant to this Order.
• Defendant acknowledges that their Taxpayer Identification Numbers, Social Security Numbers, or Employer Identification Numbers, which Defendant previously submitted to the Commission, may be used for collecting and reporting on any delinquent amount arising out of this Order, in accordance with 31 U.S.C. §7701.

XIV. ORDER ACKNOWLEDGEMENTS

IT IS FURTHER ORDERED that Defendant obtains acknowledgments of receipt of this Order:

• Defendant, within seven (7) days after the entry of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
• For twenty (20) years after entry of this Order, Defendant must deliver a copy of this Order to:
  • All principals, officers, directors, and LLC managers and members;
  • All employees, agents, and representatives having managerial responsibilities for conduct related to the subject matter of the Order; and
  • Any business entity resulting from any change in structure as set forth in the Section titled Compliance Reporting.
• Delivery must occur within fourteen (14) days after entry of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
• From each individual or entity to which Defendant delivered a copy of this Order, Defendant must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.

XV. COMPLIANCE REPORTING

IT IS FURTHER ORDERED that Defendant makes timely submissions to the Commission:

• One year after entry of this Order, Defendant must submit a compliance report, sworn under penalty of perjury. Defendant must:

  • Identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission and Plaintiff may use to communicate with Defendant.
  • Identify all of Defendant’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses.
  • Describe the activities of each business, including the products and services offered, the means of advertising, marketing, and sales, and the involvement of Defendant.
  • Describe in detail whether and how Defendant is in compliance with each Section of this Order.
  • Provide a copy of each Order Acknowledgment obtained pursuant to this Order, unless previously submitted to the Commission.

• For twenty (20) years after entry of this Order, Defendant must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following:

  • Any designated point of contact.
  • The structure of Defendant or any entity that Defendant has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.

• Defendant must submit to the Commission notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against Defendant within 14 days of its filing.

• Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: _____” and supplying the date, signatory’s full name, title (if applicable), and signature.

• Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “United States v. Easy Healthcare Corporation.”

XVI. RECORDKEEPING

IT IS FURTHER ORDERED that Defendant must create certain records for twenty (20) years after the entry of the Order, and retain each such record for five (5) years, unless otherwise specified below. Specifically, Defendant, for any business that Defendant is a majority owner or controls directly or indirectly, must create and retain the following records:

• Accounting records showing the revenues from all products or services sold.
• Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s:
  • Name;
  • Addresses;
  • Telephone numbers;
  • Job title or position;
  • Dates of service;
  • (If applicable) the reason for termination.
• Copies or records of all consumer complaints and refund requests related to any mobile application or website offered by Defendant, concerning the collection, use, maintenance, disclosure, deletion, or permission of access to Covered Information, whether received directly or indirectly, such as through a third party, and any response.
• Records of all disclosures of Health Information or PHR Identifiable Health Information to Third Parties showing, for each Third Party that received Health Information or PHR Identifiable Health Information:
  • The name and address of the Third Party;
  • The date(s) of such disclosures;
  • The purpose(s) for which the Health Information or PHR Identifiable Health Information was transferred;
  • How and when Covered Users provided authorization for the disclosures.
• Records of all disclosures of App Events to Third Parties.
• A copy of each unique advertisement, form advertisement (where an advertisement is generated based on a form advertisement), or other marketing material making a representation subject to this Order.
• A copy of each widely disseminated representation by Defendant that describes the extent to which Defendant maintains or protects the privacy, security, and confidentiality of any Covered Information, including any representation concerning a change in any website or other service controlled by Defendant that relates to the privacy, security, and confidentiality of Covered Information.
• For five (5) years after the date of preparation of each Assessment required by Section VIII, all materials provided to the Assessor(s) by the Respondent to prepare the Assessment, whether prepared by or on behalf of Defendant, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, and any other materials concerning Defendant’s compliance with related Sections of this Order, for the compliance period covered by such Assessment.
• For five (5) years from the date received, copies of all subpoenas and other communications with law enforcement, if such communication relates to Defendant’s compliance with this Order.
• For five (5) years from the date created or received, all records, whether prepared by or on behalf of Defendant, that tend to show any lack of compliance by Defendant with this Order.
• All records necessary to demonstrate full compliance with each section of this Order, including all submissions to the Commission.

XVII. COMPLIANCE MONITORING

IT IS FURTHER ORDERED that, for the purpose of monitoring Defendant’s compliance with this Order:

• Within fourteen (14) days of receipt of a written request from a representative of the Commission or Plaintiff, Defendant must:
  • Submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.
  • The Commission and Plaintiff are also authorized to obtain discovery, without further leave of court, using any of the procedures prescribed by Federal Rules of Civil Procedure 29, 30 (including telephonic depositions), 31, 33, 34, 36, 45, and 69.
• For matters concerning this Order, the Commission and Plaintiff are authorized to communicate directly with Defendant. Defendant must permit representatives of the Commission and Plaintiff to interview anyone affiliated with Defendant who has agreed to such an interview. The person interviewed may have counsel present.
• The Commission and Plaintiff may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Defendant or any individual or entity affiliated with Defendant, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.

XVIII. RETENTION OF JURISDICTION

IT IS FURTHER ORDERED that this Court retains jurisdiction of this matter for purposes of construction, modification, and enforcement of this Order.

SO ORDERED this ____ day of June 2023.

UNITED STATES DISTRICT JUDGE

SO STIPULATED AND AGREED:

FOR PLAINTIFF UNITED STATES OF AMERICA
BRIAN M. BOYNTON
Principal Deputy Assistant Attorney General
Civil Division

ARUN G. RAO
Deputy Assistant Attorney General

AMANDA N. LISKAMM
Director

LISA K. HSIAO
Assistant Director

/s/ Rachel E. Baron
RACHEL E. BARON
Trial Attorney
Consumer Protection Branch
U.S. Department of Justice
Civil Division
450 Fifth Street NW
Washington, D.C. 20530
(202) 598-7719

OF COUNSEL
FOR THE FEDERAL TRADE COMMISSION
TIFFANY GEORGE
Acting Assistant Director
Division of Privacy and Identity Protection

DAVID WALKO
RONNIE SOLOMON
Attorneys
Division of Privacy and Identity Protection
Federal Trade Commission
600 Pennsylvania Avenue NW
Washington, DC 20580
(202) 326-2880
(202) 326-2098
dwalko@ftc.gov
rsolomon@ftc.gov

FOR DEFENDANT EASY HEALTHCARE CORPORATION:

Date: 3/24/2023
Brenda R. Sharton
Benjamin M. Sadun
Hilary Bonaccorsi
DECHERT LLP
Counsel for Easy Healthcare Corporation

DEFENDANT:

Date: 03/27/2023
Xiaolian Liu Li
Chief Executive Officer
Easy Healthcare Corporation

Exhibit A

Website and Mobile Application Notice

Between November 2017 and August 2022, we shared the personal information (such as unique identification number) of users of the Premom Ovulation Tracker app with the analytics divisions of Google and AppsFlyer. We also shared activities on the app related to users’ fertility, periods, and pregnancy. Between January 2018 and August 2020, we also shared users’ information with Aurora Mobile and Umeng. This included the unique identification number from users’ phones and their device location.

We did not share users’ names, birth dates, or addresses with any of the above companies.
The Federal Trade Commission alleged that we shared this information without users’ permission in violation of the law. To resolve the case with the FTC:

• We’ll tell Google and AppsFlyer to delete the information that the FTC says we collected without our users’ permission. And we’ll tell Aurora Mobile and Umeng to delete all information that the FTC says we collected without our users’ permission, too.
• We’ll never share your health information with third parties (like Google, AppsFlyer, Aurora Mobile, or Umeng) for advertising purposes.
• We won’t share your health information with third parties (like Google, AppsFlyer, Aurora Mobile, or Umeng) for other purposes, unless we get your permission first.
• We’ll put in place a comprehensive privacy and information security program to protect our users’ information. An independent auditor will review our program to make sure we are protecting our users’ information. These audits will happen every two years for 20 years.

If you have any questions, you can email us at [email]@premom.com.
To learn more about the settlement, go to ftc.gov and search for “Premom.”
Read the FTC’s Does your health app protect your sensitive info? to learn more about protecting your health privacy.

Notice to Covered Users

Between November 2017 and August 2022, you used the Premom Ovulation Tracker app. During that time, we shared your information (such as unique identification number) with the analytics divisions of Google and AppsFlyer. We also shared activities on the app related to your fertility, periods, and pregnancy. If you used the Premom Ovulation Tracker app between January 2018 and August 2020, we also shared your information with Aurora Mobile and Umeng. This included the unique identification number from your phone and your device location.

We did not share your name, birth date, or address with any of these companies.
The Federal Trade Commission alleged that we shared this information without users’ permission in violation of the law. To resolve the case with the FTC:

• We’ll tell Google and AppsFlyer to delete the information that the FTC says we collected without our users’ permission. And we’ll tell Aurora Mobile and Umeng to delete all information that the FTC says we collected without our users’ permission, too.
• We’ll never share your health information with third parties (like Google, AppsFlyer, Aurora Mobile, or Umeng) for advertising purposes.
• We won’t share your health information with third parties (like Google, AppsFlyer, Aurora Mobile, or Umeng) for other purposes, unless we get your permission first.
• We’ll put in place a comprehensive privacy and information security program to protect your information. An independent auditor will review our program to make sure we are protecting your information. These audits will happen every two years for 20 years.

If you have any questions, you can email us at [email]@premom.com.
To learn more about the settlement, go to ftc.gov and search for “Premom.”
Read the FTC’s Does your health app protect your sensitive info? to learn more about protecting your health privacy.

Statement of Reasons for Settlement

This statement accompanies the Stipulated Order for Permanent Injunction, Civil Penalty Judgment, and Other Relief (“Stipulated Order”) executed by defendant Easy Healthcare Corporation (“Defendant”) in settlement of an action brought to recover civil penalties and equitable relief for engaging in acts or practices in violation of the Federal Trade Commission Act (“FTC Act”) and the Commission’s Health Breach Notification Rule (“HBNR”), 16 C.F.R. § 318. The Stipulated Order imposes a $100,000 civil penalty judgment and provides for robust injunctive relief.

Pursuant to Section 5(m)(3) of the Federal Trade Commission Act, as amended (15 U.S.C. § 45(m)(3)), the Commission hereby sets forth its reasons for settlement by entry of the Stipulated Order:

On the basis of the allegations contained in the attached Complaint for Permanent Injunction, Civil Penalty Judgment, and Other Relief (“Complaint”), and the factors set forth in Section 5(m)(1)(C) of the FTC Act, 15 U.S.C. § 45(m)(1)(C), the Commission believes that the $100,000 civil penalty and the injunctive relief constitutes an appropriate settlement. The civil penalty judgment, coupled with provisions enjoining Defendant from further violations of the FTC Act and the HBNR, banning Defendant’s sharing of certain types of information, and requiring that Defendant implement a comprehensive privacy and information security compliance program and obtain assessments of that program, are effective means to ensure Defendant’s future compliance and to deter others who might violate these laws. Additionally, with the entry of such a Stipulated Order, the time and expense of litigation will be avoided.

For the foregoing reasons, the Commission believes that the settlement by entry of the attached Stipulated Order with Defendant is justified and well within the public interest.