Three defendants have agreed to pay nearly $60 million for sharing women's reproductive health data with third-party technology companies without telling them.
What happened
Flo Health, Google, and Flurry have agreed to a combined $59.5 million settlement resolving a consolidated class action lawsuit over the use of tracking software in the Flo Period and Ovulation Tracker app that shared users' sensitive reproductive health data with third parties without their knowledge or consent. According to The Daily Hodl, Google will contribute $48 million, Flo Health $8 million, and Flurry $3.5 million. The court granted preliminary approval on April 22, 2026, with the final fairness hearing scheduled for October 29, 2026. Claims must be submitted by October 15, 2026, through the official settlement website. This comes after a federal jury found Meta liable under the California Invasion of Privacy Act in August 2025, and Meta is appealing that verdict separately.
Going deeper
The lawsuit alleged that software development kits embedded in the Flo app transmitted users' most sensitive health information, including menstrual cycle details, pregnancy status, sexual activity, and gynecological health data, to Google, Meta, and Flurry, even though Flo Health told users their information would remain private and would not be shared without consent. The consolidated case, In re Period Tracker Data Privacy Litigation, combined multiple lawsuits and asserted claims for invasion of privacy, violation of the California Constitution, breach of contract, breach of implied contract, unjust enrichment, and violations of the Stored Communications Act, the California Confidentiality of Medical Information Act, and the California Invasion of Privacy Act. All three defendants deny wrongdoing and agreed to settle to avoid the cost and uncertainty of continued litigation.
What was said
According to BankInfoSecurity, Flo Health also agreed to display “a prominent notice about Flo's commitment to privacy” on the landing page of its website, “Along with a prominent link to its privacy policy, in large font, for the duration of one year from the dates the final approval order and final judgment become final," court documents said.
In the know
It’s not the first time Flo Health has faced federal action over the same data-sharing practices. In 2021, the Federal Trade Commission reached a consent order with Flo Health requiring it to obtain users' express consent before sharing health data with third parties and to notify users about past data disclosures. The case also produced one of the few jury verdicts in health app privacy litigation where the August 2025 finding against Meta under California's wiretapping statute established that third parties receiving improperly shared health data can face independent liability, as well as the app that transmitted it.
The big picture
The Flo Health case is the largest settlement yet in a wave of health app privacy litigation that has accelerated since the Supreme Court's 2022 Dobbs decision heightened public concern about who can access reproductive health data and for what purposes. The case also establishes that the companies receiving improperly shared health data, in this instance, Google and Flurry, bear legal responsibility alongside the app that transmitted it. For healthcare organizations and health app developers, the practical implication is direct, privacy promises made to users about how their health data will be used must account for every piece of third-party code embedded in an app or website, as well as the organization's own data handling practices. The Derick Dermatology pixel settlement and the Rutgers University study finding a 46% higher breach risk for hospitals using third-party tracking pixels both point to the same underlying exposure, and the Flo Health settlement quantifies what that exposure can cost at scale. According to HealthTechSecurity, two-thirds of US hospitals still use third-party tracking pixels, most without having assessed the data they transmit.
FAQs
What is a software development kit, and how did it transmit user data without consent?
A software development kit is a pre-built package of code that developers incorporate into apps to add specific functions, such as analytics, advertising measurement, or crash reporting. When Flo embedded kits from Google and Flurry, those kits automatically transmitted user data to the kit providers as part of their normal operation, without Flo disclosing that to users or obtaining separate consent for those transmissions.
Why is reproductive health data considered particularly sensitive in privacy litigation?
Reproductive health data documents menstrual cycles, pregnancy status, fertility treatment, and sexual activity. Following the Dobbs decision, concerns grew that this data could be subpoenaed or used in ways that harm users, making its unauthorized disclosure a more serious legal and reputational risk than the exposure of less sensitive personal information.
What does the Meta jury verdict mean for the case going forward?
Meta was found liable under California's Invasion of Privacy Act, which prohibits the intentional interception of confidential communications. Because Meta chose to go to trial rather than settle, the jury verdict applies only to Meta, which is now appealing. The Google, Flo Health, and Flurry settlements resolve those defendants' liability separately, and a future Meta-related recovery would be handled through a separate process.
How does this settlement affect current Flo Health users?
The settlement class covers users from November 2016 through February 2019. Current Flo Health users are not members of this class and would need to pursue any claims about current data practices separately. Flo Health has committed as part of the settlement to implement privacy protections going forward and to display a notice about user privacy on its website for one year after final approval.
What should health app developers take from this settlement?
Every third-party software development kit or analytics tool embedded in a health app creates a potential liability exposure if it transmits user data in ways the privacy policy does not clearly disclose and for which users have not given informed consent. Developers should audit all embedded third-party code, confirm what data each component transmits and to whom, and ensure privacy disclosures accurately show every data flow before making commitments about confidentiality to users.
