Reproductive health apps under scrutiny with end of Roe v. Wade apparently imminent

Glow is a San Francisco startup whose fertility tracking app allegedly failed to protect users' private information -- including whether they had had an abortion.

The state of California sued in 2020 under its health information privacy law, and the appmaker ultimately agreed to pay a $250,000 fine and institute reforms designed to protect privacy and to take into account the particular privacy concerns of women.

As the US Supreme Court appears poised to overturn the 1973 Roe v. Wade decision that legalized abortion, more such cases could be on the horizon. Regulators and lawmakers who see a threat to reproductive rights are increasingly scrutinizing the privacy, security and accuracy of digital services around reproductive health and other types of health data.

Democrats in Congress on Friday asked Google to respond to research that found its search engine frequently directs those seeking abortions to anti-abortion clinics. California Attorney General Rob Bonta, meanwhile, says his office is scrutinizing apps or websites that collect reproductive health data. Companies that don’t measure up on their privacy and security protections, the AG warned in a recent enforcement advisory, could find themselves facing allegations like those against Glow — that they violated the California Confidentiality of Medical Information Act (CMIA).

“This is a moment of reckoning for the country,” Bonta told MLex. “With reproductive rights under unprecedented threat, apps collecting medical information, particularly reproductive health information, have a legal and moral responsibility to protect user privacy.”

While the CMIA is a state law, “I hope companies will look at both this law and the groundbreaking injunctive terms we secured against Glow and use them as a roadmap to better protect reproductive health information, in California and nationwide,” Bonta said.

Personal Privacy

A woman’s “right of personal privacy” — based on the First, Fourth, Fifth, Ninth and Fourteenth Amendments to the US Constitution — was the basis of the Supreme Court’s abortion rights decision nearly 50 years ago. That right is distinct from laws that protect the privacy and security of personal data. A leaked draft of a Supreme Court opinion written by Justice Samuel Alito that would overturn Roe v. Wade only mentions the word “privacy” five times and uses other vectors of legal attack against the 1973 opinion written by Justice Harry Blackmun.

If Roe v. Wade is overturned, however, abortion would become illegal in many states and could be the basis for criminal charges against abortion providers and anyone else who aids a woman getting an abortion in states such as Texas and Louisiana.

Some medical ethicists are deeply concerned about the privacy and security of reproductive health data held by tech companies as the justices’ decision looms. Commercial apps that collect health data — including sleep trackers, weight loss apps, blood sugar trackers, fitness apps and fertility trackers — are generally not covered by the primary US medical privacy law, the Health Insurance Portability and Accountability Act of 1996. HIPAA is keyed to “covered entities” and their business partners, such as doctors, hospitals, and insurance companies, and not to health-related data itself.

HIPAA has numerous exceptions to its protections, and legal scholars and ethicists worry that covered entities may be compelled to disclose protected health information due to a court order sought by police, a subpoena, or a discovery request — in addition to disclosures by tech companies or other non-HIPAA covered entities. New state privacy laws such as the California Privacy Rights Act define health-related data held by commercial companies as “sensitive personal data” subject to stronger protections, but few states have those protections.

“Across the nation, people have the impression that health information is protected because it’s health information. But that is not accurate,” said Katye Spector-Bagdady, a lawyer and medical ethicist at the University of Michigan. “That is why these additional privacy protections are so important and, unfortunately right now, they mainly exist in California.”

Commercial apps

The distinction between HIPAA protections and commercially held health data was underscored in a lawsuit filed Friday in San Francisco against Meta Platforms. The suit alleged Meta’s Facebook Pixel tracking software was embedded in more than 600 health care websites. Data harvested by Facebook Pixel, the suit said, illegally gave Meta access to sensitive data such as patient status that the company could use to target advertising — data a HIPAA-covered entity would be barred from sharing.

The suit didn't cite HIPAA, but instead alleged violations under the federal Wire Tap Act and several other California privacy laws.

Privacy advocates and regulators including Bonta and the US Federal Trade Commission are increasingly concerned about the growing galaxy of apps and websites that offer health care-like services but that aren't covered by HIPAA.

The FTC last year asserted its oversight of such non-HIPAA regulated health apps, and in March it handed out a novel and painful punishment to children’s weight-loss app Kurbo, operated by Weight Watchers. The FTC required Weight Watchers to delete the data the Kurbo app stored and destroy any algorithms it created that ran on that data.

The FTC also finalized a settlement last year with another ovulation tracking app, Flo Health, which the FTC said improperly shared millions of users’ reproductive data with Facebook, Google and other marketing and analytics firms. Flo Health is still facing proposed class action litigation in US District Court in San Francisco.

Glow, the fertility tracker California sued in 2020, “had serious basic security failures that put its users' data at risk,” former Attorney General Xavier Becerra said in the state’s complaint.

Glow didn't verify old passwords when a user changed a password, meaning an attacker could simply change the account password to access that user’s stored medical information, the complaint said. Among the data users could share with the Glow app were medications, fertility test results, ovulation-cycle calculations, sexual experiences, efforts to become pregnant, and pregnancy histories such as miscarriages, stillbirths, and abortions.

And over a three-year period, the “Partner Connect” feature in the Glow app that allowed users to link accounts to share medical information automatically granted any linking request “without any authorization or confirmation from the user who was about to have their information shared,” the suit alleged.

In addition to the $250,000 fine, the attorney general required Glow to institute privacy-by-design and security-by-design principles into its existing and future software. The settlement also required Glow to provide regular and ongoing employee training about online threats affecting women, including cyberstalking and online harassment, as well as privacy issues related to reproduction and reproductive rights.

Bonta would likely seek similar penalties for other apps that failed to protect reproductive health data, MLex has learned. Glow didn't respond to a request for comment from MLex.

Location Data

Some experts worry that abortion “bounty” laws, such as a Texas law that offers a reward of $10,000 or more for anyone who successfully sues to block an abortion, could create demand for a black market in personal data around abortion — including data such as a person’s location.

Because the Texas law “does not just criminalize the act of abortion, but also the provision of information surrounding it,” Spector-Bagdady said, it could be a powerful incentive for people to purchase commercially available data to claim those bounties.

The privacy threat is broader than to reproductive health data, and is an issue because so many apps share location data, frequently without the knowledge of their users.

Media outlet Vice recently reported that it was able to buy location information from a data broker company called SafeGraph on traffic to Planned Parenthood clinics that offered abortions, including where people visiting the clinics came from, how long they stayed at the clinic and where they went afterwards. While the data was aggregated, privacy advocates say such location data can often be tied back to unique individuals, particularly in smaller communities where fewer phones are sharing data.

Location data derived from apps running on smartphones has already been used by antiabortion groups to convince women to avoid an abortion. Massachusetts Attorney General Maura Healey in 2017 reached a settlement with a Boston-area digital ads company to stop the use of geofencing technology to display anti-abortion ads to women who were in or near abortion clinics in Ohio, Virginia, New York, Pennsylvania and Missouri.

Copley Advertising had placed geofences around those clinics so that any phone that that came nearby triggered ads that would be served for up to 30 days such as “Pregnancy Help,” “You Have Choices,” and “You’re Not Alone.”

That practice violated Massachusetts consumer protection laws that protect “privacy in ... medical decisions and conditions,” the attorney general said, because Copley took advantage of technology that tracked consumers’ physical location, disclosed it to third-party advertisers, and targeted consumers with ads about their "private, sensitive, and intimate medical or physical condition" without consent.

“Consumers may not realize when they installed these apps that the app would disclose their location information for purposes unrelated to the app, including advertising,” Healey said.