A press release from California’s Attorney General, posted September 17:
SACRAMENTO – California Attorney General Xavier Becerra today announced a landmark settlement against Glow, Inc. (Glow), a technology company that operates a fertility-tracking mobile app that stores personal and medical information. The settlement, which is subject to court approval, resolves the Attorney General’s investigation of Glow’s app for serious privacy and basic security failures that put women’s highly-sensitive personal and medical information at risk. In addition to a $250,000 civil penalty, the settlement includes injunctive terms that require Glow to comply with state consumer protection and privacy laws, and a first-ever injunctive term that requires Glow to consider how privacy or security lapses may uniquely impact women.
“When you meet with your doctor or healthcare provider in person, you know that your sensitive information is protected. It should be no different when you use healthcare apps over the internet,” said Attorney General Becerra. “Mobile apps, like Glow, that make it their business to collect sensitive medical information know they must ensure your privacy and security. Excuses are not an option. A digital disclosure of your private medical records is instantaneously and eternally available to the world. Today’s settlement is a wake up call not just for Glow, Inc., but for every app maker that handles sensitive private data.”
The Attorney General’s complaint alleges the Glow app:
- Failed to adequately safeguard health information;
- Allowed access to user’s information without the user’s consent; and
- Additional security problems with the app’s password change function could have allowed third parties to reset user account passwords and access information in those accounts without user consent.
The injunctive terms of the settlement require Glow to incorporate privacy and security design principles into its mobile apps. Glow will also be required to obtain affirmative consent from users prior to sharing or disclosing personal, medical, or sensitive information, and it will be required to allow users to revoke previously granted consent.
Attorney General Becerra has secured other novel injunctions to protect consumers. Since taking office in January 2017, he has announced a $600 million settlement with Equifax for improperly exposing the personal information of 147 million consumers; a $148 million settlement with Uber for failing to notify regulators and users of a data breach; an $18.5 million settlement with Target for failing to provide reasonable data security; a $935,000 settlement with Aetna for illegally revealing that patients were taking HIV-related medication; and a $3.5 million settlement with Lenovo for illegally preinstalling software that compromised the security of its computers.
A copy of the settlement, which is subject to court approval, is available here. A copy of the complaint is available here.
h/t, Centennial Man