Flo Health Reaches Settlement in Data Privacy Class Action Lawsuit

Table of Contents

The digital privacy graveyard just got a new tombstone. Remember the chilling tale of Flo Health we shared back in May? The period-tracking app accused of sneaking users’ intimate health data to tech behemoths like Google and Meta? Well, buckle up it’s taken another twist. Last week, right in the thick of a nail-biting trial in San Francisco, Flo Health inked a settlement deal, dodging a jury verdict that could have been really bad for all shareholders and employees. For healthcare companies juggling Protected Health Information (PHI), this isn’t just gossip; it’s a screaming siren about the perils of data mishandling. At CaptainCompliance.com, we’re here to arm you against these privacy risks. Let’s dissect this settlement, unearth the lessons, and show how we can fortify your defenses if you’re a health related app or website.

The Settlement For Flo’s Data Privacy

Picture this: a two-week trial in the U.S. District Court for the Northern District of California, case Frasco v. Flo Health Inc. (No. 3:21-cv-00757), grinding toward closing arguments. Plaintiffs—a class of women who used the Flo app between 2016 and 2019—were gunning for blood, claiming the app betrayed their trust by sharing ultra-sensitive details like menstrual cycle dates and lengths with Meta Platforms Inc. and Google LLC. No consent, no mercy, just straight-up violations of California’s Confidentiality of Medical Information Act (CMIA) and the California Invasion of Privacy Act (CIPA), a dusty wiretap law from the 1960s that’s been weaponized in the digital age for privacy violations that we’ve covered in great detail and how firms like Tauler Smith & Swigart are sending out demands for violators if they’re using TikTok, Facebook’s Meta Pixel, or Linkedin retargeting on their app or website.

Then, on July 31, Flo Health announced a “settlement in principle.” Details? Shrouded in mystery for now, pending court approval from Judge James Donato. Class members will get the lowdown in the coming weeks, but here’s what we know: no admission of wrongdoing from Flo. They doubled down, insisting “we have always maintained that the claims lacked merit, and as the case progressed, the lack of evidence to support these allegations became increasingly clear.” Ouch. Meanwhile, Google had already slinked away with their own settlement weeks earlier, leaving Meta as the lone wolf still fighting.

Period-Tracking App Flo Settles Privacy Class Action Mid-Trial

Trial transcripts reveal Judge Donato was on the verge of gutting the case, saying, “It’s going to potentially be confusing and highly unproductive to let a claim for which I see virtually no evidence—in fact, probably zero evidence—to go forward.” Flo even motioned to dismiss on July 30, arguing the plaintiffs had zilch to back their accusations. But rather than risk a jury’s wrath, Flo cut a deal. Founded in 2015 with 60 million active users today, the app’s already scarred from a 2021 FTC smackdown for similar data-sharing sins, forcing them to notify users about third-party shares.

This isn’t some footnote; it’s a landmark. As one of the first big privacy showdowns against tech giants to hit trial, it spotlights the razor-wire fence around health data. Plaintiffs’ powerhouse lawyers from Lowey Dannenberg PC, Spector Roseman & Kodroff PC, and Labaton Keller Sucharow LLP pushed hard, but Flo’s Dechert LLP team played defense like pros. The upshot? Users might get some scraps compensation? Injunctions? The real win is the spotlight on how health apps can turn your PHI into a vulnerability.

For more on the original class certification that kicked off this saga, check out our previous deep dive: Flo Health’s Privacy Nightmare: Lessons from Class Certification.

Lessons Learned: Ghosts of Data Past Haunting the Present

This settlement doesn’t close the book—it rips open a portal to more privacy litigation nightmares. Here’s what every healthcare business in the PHI arena needs to internalize before the regulators come knocking:

  1. Consent Isn’t a Suggestion—It’s Survival: Flo’s alleged data dumps happened without users’ green light, echoing their FTC troubles. Courts and agencies are feral about this: vague policies won’t shield you. Get explicit, affirmative consent for every PHI touchpoint, or watch your empire crumble.
  2. Anonymization is a Mythical Shield: Even if data gets scrubbed later, the initial grab can doom you. As we warned in our Data Anonymization Myths Exposed piece, judges like Donato focus on the upstream betrayal, not downstream fixes.
  3. California’s Laws are Landmines: CMIA, CIPA, CCPA/CPRA—these aren’t gentle nudges. They’re explosives. Flo’s case proves even old-school laws can bite in the app world. If you’re handling health data in any state compliance isn’t optional. We covered the ECPA privacy lawsuits and how it’s best to take privacy seriously.
  4. Trials are Terror—Settle Smart, But Prepare Better: Going to trial? It’s a gamble with your reputation on the line. Flo bailed because evidence was thin, but imagine if it wasn’t. Proactive audits could’ve prevented this mess. And class actions? They’re multiplying like zombies in privacy litigation thanks to firms like Pacific Trial Attorneys & Almeida in Chicago who has had some huge settlements from health related entities.
  5. No Evidence? Still a Headache: The judge’s skepticism highlights a brutal truth: even weak claims can drag you through hell, costing millions in legal fees and bad PR. Don’t give plaintiffs an inch—lock down your practices tight.

The broader ripple? Health apps are under a microscope. With fertility trackers like Flo facing scrutiny, trust erodes fast. One data slip, and users flee, regulators pounce, and lawsuits swarm. It’s not just about fines; it’s about surviving in a world where PHI breaches can end careers.

How Captain Compliance Steps In: Your PHI Guardian Against the Darkness

Flo Health agreed to settle the data breach class action suit but in the future they want to use software from Captain Compliance to lower their risk and exposure for penalties, fines, and legal settlements. If you’re working at Flo or a similar company we recommend to have your privacy team reach out and explore the ways we can help.

At CaptainCompliance.com, we’re not just observers we’re your frontline defense in this privacy apocalypse. Specializing in healthcare data compliance, we help companies navigate the treacherous PHI landscape under HIPAA, state laws, and beyond. Here’s how we turn your vulnerabilities into unbreakable fortresses:

  • Custom PHI Audits: We dive deep into your data flows, spotting leaks before they become lawsuits. Think Flo could’ve used this? Absolutely. Our experts map every collection, share, and storage point to ensure consent is ironclad.
  • Consent Management Mastery: Vague disclosures? We banish them. Our tools craft crystal-clear policies and user interfaces that scream transparency, making “meaningful consent” your reality. Check our Ultimate Consent Management Guide for starters.
  • Risk Assessments Tailored for Health Apps: Whether you’re a startup tracker or a full-fledged EHR provider, we simulate attacks, test anonymization, and align you with CMIA/CIPA/CCPA. No more guessing—pure, proactive protection.
  • Training That Sticks: Your team is your weakest link. We deliver gripping workshops on PHI horrors, turning employees into compliance warriors. Avoid Flo’s fate by fostering a culture of vigilance.
  • Ongoing Monitoring and Alerts: Laws evolve like viruses. Our subscription service keeps you ahead with real-time updates, settlement breakdowns, and customized action plans.

Why us? Because we’ve seen the carnage—from FTC settlements to class actions—and we know how to prevent it. Healthcare companies trust CaptainCompliance.com to safeguard their data, reputations, and bottom lines.

Flo App Settles User Data Sharing Claims in Landmark Privacy Case The Privacy Storm Isn’t Over

Flo Health’s settlement might feel like closure, but it’s a harbinger. With Meta still in the fight and more cases bubbling up, the PHI space is a powder keg. Don’t wait for the explosion—act now. Transparency, consent, and rock-solid compliance aren’t luxuries; they’re your lifeline in this data-driven dystopia.

Stay vigilant, stay compliant, and let us light the way through the shadows. Book a demo below with one of our data privacy experts who can offer a free privacy audit and help protect your business.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.