Quick Answer Box
– What it is: A class action lawsuit and FTC enforcement action against Flo Health, Inc. for sharing users' sensitive reproductive health data with third parties including Meta and Google without proper consent.
– Who qualifies: U.S. residents who used the Flo Period and Ovulation Tracker app between approximately 2016 and 2021 and whose health data may have been shared with advertising platforms.
– What it's worth: The civil class action settlement fund was set at $1,000,000. Individual payouts ranged from small pro-rata cash amounts to vouchers, depending on claims volume and tier.
Case Snapshot
| Detail | Information |
|---|---|
| Court | U.S. District Court, Northern District of California |
| Case Number | 3:21-cv-00757-JD |
| Assigned Judge | The Honorable James Donato |
| Filing Date | January 28, 2021 |
| FTC Docket | No. C-4747 (consent order, June 2021; revised 2023) |
| Defendant | Flo Health, Inc. |
| Settlement Fund | $1,000,000 (civil class action) |
| Class Period | Approximately 2016 to 2021 |
| Status (2026) | Civil settlement approved; FTC consent order active; monitoring ongoing |
| Data Recipients Named | Meta (Facebook), Google, AppsFlyer, Flurry/Oath |
Introduction
The Flo lawsuit centers on one of the most sensitive categories of personal data a person can share: information about menstrual cycles, pregnancy attempts, fertility, and reproductive health. Flo Health, Inc., the developer behind one of the world's most downloaded period-tracking apps, faced simultaneous federal enforcement by the FTC and a private class action civil suit in federal court, both stemming from the same core allegation: that Flo shared user health data with advertising firms without the knowledge or consent of the people whose bodies that data described.
The civil case, filed January 28, 2021, in the Northern District of California, was assigned to Judge James Donato under docket 3:21-cv-00757-JD. The FTC issued a consent order under Docket No. C-4747 in June 2021 and subsequently updated it in 2023 with additional restrictions.
What makes this litigation notable in 2026 is not just the settlement. It's the precedent it set for how regulators and courts treat reproductive health data collected by consumer apps that fall outside traditional HIPAA coverage.
For the estimated 100 million users Flo claimed globally at the time of the FTC action, the question is whether they received fair compensation and whether the legal framework now in place actually prevents future violations.
What Is the Flo Lawsuit?
The Flo lawsuit is a multifront legal action targeting Flo Health, Inc. for the unauthorized disclosure of users' reproductive and menstrual health data to third-party advertising and analytics companies.
The case is not a single event. It comprises an FTC administrative enforcement proceeding and a separate private class action lawsuit filed in federal court. Both proceedings stem from the same underlying conduct but pursue different remedies through different legal mechanisms.
The FTC proceeding focused on injunctive relief: stopping the practice and imposing compliance obligations on the company. The civil class action focused on monetary compensation for affected users.
Attorney Insight: *Attorneys handling digital health privacy claims note that the dual-track structure of the Flo litigation, regulatory enforcement plus private civil action, has become a template regulators and plaintiffs' firms now apply to other consumer health app cases.*
| Track | Forum | Remedy Sought | Outcome |
|---|---|---|---|
| FTC Enforcement | FTC Administrative Court | Injunction, compliance | Consent Order, Docket C-4747 |
| Civil Class Action | N.D. Cal., Judge Donato | Monetary damages | $1M settlement fund |
What Is the Flo Health Lawsuit Really About?
The Flo Health lawsuit is fundamentally about informed consent and the monetization of intimate health data. Flo's app asked users to log menstrual cycles, ovulation windows, pregnancy status, and symptoms. Users reasonably expected that data to stay within the app.
What allegedly happened instead was that Flo transmitted that data to Facebook, Google, and third-party analytics firms. This transmission occurred through software development kits, commonly called SDKs, embedded in the app. Those SDKs functioned as data pipelines to advertising infrastructure.
The core legal theory is that Flo's privacy policy representations were materially false or misleading. Plaintiffs alleged the company violated consumer protection statutes, the FTC Act, and various state privacy laws by representing that user data was protected while simultaneously routing it to advertisers.
Attorney Insight: *Plaintiffs' counsel in cases like this typically argue that the violation lies not only in the disclosure itself but in the breach of the explicit promise made in the app's user-facing privacy disclosures.*
Key Allegations at a Glance:
- Flo collected deeply sensitive reproductive health data from users
- That data was routed to Meta, Google, AppsFlyer, and Flurry without meaningful user consent
- Flo's privacy disclosures did not adequately disclose this practice
- The disclosures that did exist were buried and written to obscure the scope of third-party sharing
The Flo Health Privacy Lawsuit: How User Data Was Exposed
The Flo Health privacy lawsuit describes a specific technical mechanism by which private health data left the app and reached advertising platforms. The mechanism was the integration of third-party SDKs directly into Flo's mobile application.
An SDK is a set of pre-built software tools a developer embeds into an app to add functionality, such as analytics or advertising measurement. When Flo embedded Facebook's SDK and Google's Firebase SDK, those tools automatically collected certain app events, including events that Flo defined around health milestones.
The lawsuit alleged that Flo configured these SDK integrations in ways that caused health-related event data, such as a user marking a period as started or logging a pregnancy, to be transmitted to the SDK provider's servers as part of routine app analytics and advertising attribution.
Attorney Insight: *Privacy attorneys tracking SDK-based data exposure cases point out that many developers integrate SDKs without fully auditing what data those SDKs capture and transmit, making the resulting exposure a product of negligent configuration as much as intentional design.*
Data Flow as Alleged in Court Filings:
| Stage | What Happened |
|---|---|
| User Input | User logs cycle, symptoms, or pregnancy status in Flo app |
| SDK Capture | Facebook SDK / Google Firebase captures the app event |
| Transmission | Data sent to Meta's and Google's ad infrastructure servers |
| Use | Data matched to advertising profiles, used for targeting |
Flo Health Data Sharing Lawsuit: Which Companies Received Your Information
The Flo Health data sharing lawsuit identified four primary corporate recipients of user health data. Understanding who received the data matters legally because it affects theories of liability and potential additional defendants.
Meta Platforms, Inc. (Facebook): Flo integrated Facebook's SDK, which transmitted user events to Meta's servers. The lawsuit alleged this allowed Meta to associate reproductive health milestones with specific advertising profiles.
Google LLC: Flo integrated Google's Firebase analytics SDK. The data transmission alleged here followed a similar event-capture mechanism. Google received information that could be tied to specific device identifiers.
AppsFlyer: This mobile attribution analytics firm received data through Flo's integration of its SDK. AppsFlyer specializes in measuring whether advertising campaigns drive app installs and in-app events.
Flurry / Oath: Flurry, which became part of Verizon Media's Oath platform, received app analytics data through a separate SDK integration. This data was used for aggregate app performance analytics but included event-level information.
Attorney Insight: *Litigation analysts note that when multiple corporate recipients receive sensitive health data from a single app developer, plaintiffs' counsel must decide whether to name all recipients as defendants or focus claims against the developer as the party with the most direct legal duty to the user.*
Named Data Recipients:
- Meta Platforms, Inc. (Facebook SDK)
- Google LLC (Firebase SDK)
- AppsFlyer Inc.
- Flurry / Oath (Verizon Media)
Litigation Watch: *The Flo Health data sharing lawsuit identified four named corporate recipients of reproductive health data, a specific factual record that distinguishes this litigation from vague "data sharing" allegations common in weaker privacy cases.*
Flo Health Facebook Data Sharing: What the App Actually Sent to Meta
The Flo Health Facebook data sharing allegation is the most specific and well-documented claim in the litigation. The core allegation: when a Flo user logged a menstrual event or marked a pregnancy attempt, the Facebook SDK captured that in-app event and relayed it back to Meta.
The data transmitted included what are called "custom app events," specific actions Flo defined within its app that the Facebook SDK was configured to track. These events bore descriptive labels that directly reflected reproductive health status.
A February 2019 Wall Street Journal investigation first publicly identified this practice. That reporting triggered the FTC inquiry and gave plaintiffs' counsel a documented factual foundation to build civil claims upon. The Journal's report described how Flo sent data to Facebook with specific event names tied to fertility windows and pregnancy tracking.
Attorney Insight: *In privacy litigation, the availability of prior investigative reporting that independently corroborates the plaintiff's allegations significantly strengthens the evidentiary record at class certification.*
What Was Transmitted to Meta (as Alleged):
- App event labels corresponding to menstrual cycle start and end
- Ovulation window tracking events
- Pregnancy attempt logging events
- In some cases, pregnancy loss events
- Device identifiers linking events to specific Facebook advertising accounts
The FTC and Flo Health: Federal Enforcement Action Explained
The FTC's action against Flo Health is distinct from the civil class action and represents the regulatory enforcement track of this litigation. The FTC filed its complaint and issued a consent order under Docket No. C-4747 in June 2021.
The FTC's legal theory was grounded in Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce. The agency found that Flo's data sharing was inconsistent with the privacy representations it made to users, constituting a deceptive practice.
The original 2021 consent order required Flo to notify users about the data sharing, obtain their consent before sharing health data going forward, and instruct third parties who had received the data to delete it. In 2023, the FTC revised and strengthened the consent order, adding requirements that Flo obtain affirmative express consent before sharing health data with any third party and expanding the data definition covered.
Attorney Insight: *The 2023 revision to Flo's consent order was notable because it applied the FTC's updated Health Breach Notification Rule framework more aggressively to non-HIPAA-covered entities, signaling regulatory intent that now shapes how plaintiffs' attorneys approach cases against consumer health apps.*
| FTC Action | Date | Key Requirement |
|---|---|---|
| Original Consent Order | June 2021 | Notify users, instruct data deletion |
| Revised Consent Order | 2023 | Affirmative express consent, expanded data scope |
| Ongoing Compliance | 2026 | Active monitoring under consent order |
Flo Health Class Action: How the Civil Case Was Structured
The Flo Health class action was filed January 28, 2021, in the U.S. District Court for the Northern District of California, the same court that handles much of the country's major technology privacy litigation. The case, docketed as 3:21-cv-00757-JD, was assigned to Judge James Donato.
The lead plaintiff is identified in court filings as Erica Frasco, along with additional named plaintiffs. Plaintiffs' counsel included Cotchett, Pitre & McCarthy LLP and Kopelowitz Ostrow PA, among other co-counsel firms.
The class was defined to include U.S. residents who used the Flo app and whose health data was shared with third parties during the class period running approximately from 2016 through 2021. Class certification was contested, as defendants typically argue that individual factual differences among class members defeat the predominance requirement under Federal Rule of Civil Procedure 23.
Attorney Insight: *Class certification in privacy cases often turns on whether the harm is sufficiently uniform across the class. In Flo's case, the uniform technical mechanism of the SDK transmission supported the argument that the injury was class-wide rather than individualized.*
Civil Case Structural Details:
- Court: U.S. District Court, N.D. Cal.
- Docket: 3:21-cv-00757-JD
- Judge: Hon. James Donato
- Filed: January 28, 2021
- Lead Plaintiff: Erica Frasco, et al.
- Plaintiffs' Counsel: Cotchett, Pitre & McCarthy LLP; Kopelowitz Ostrow PA
Flo Health HIPAA Lawsuit: Does Federal Health Law Apply?
The Flo Health HIPAA lawsuit framing is one of the most frequently misunderstood aspects of this litigation. HIPAA, the Health Insurance Portability and Accountability Act, does not automatically apply to consumer mobile apps.
HIPAA covers "covered entities," which are healthcare providers, health plans, and healthcare clearinghouses, and their "business associates." Flo Health, Inc. is a consumer app developer. It is not a covered entity under HIPAA's definitions. This means the standard HIPAA private right of action framework does not apply to Flo users directly.
This distinction matters because it explains why the FTC, rather than the Department of Health and Human Services, was the primary federal regulator involved. The FTC used its own Health Breach Notification Rule and Section 5 authority to regulate Flo's conduct in the absence of HIPAA jurisdiction.
Attorney Insight: *Privacy attorneys frequently must explain to potential clients that the absence of HIPAA coverage for a consumer health app does not mean there is no legal remedy. FTC enforcement, state privacy statutes like CCPA, and common law theories like breach of contract and unjust enrichment all remain available.*
HIPAA Applicability Analysis:
| Question | Answer |
|---|---|
| Is Flo a HIPAA covered entity? | No |
| Does HIPAA apply to consumer apps generally? | No, absent covered entity relationship |
| What federal law did apply? | FTC Act Section 5; Health Breach Notification Rule |
| What state laws may apply? | CCPA (California); state consumer protection statutes |
Litigation Watch: *The Flo Health HIPAA question is a critical legal distinction. The absence of direct HIPAA coverage does not eliminate user remedies; it shifts the legal theories to FTC authority, state law, and contractual breach, all of which plaintiffs successfully used to reach a settlement.*
Flo Health Lawsuit Status 2026: Where Does the Case Stand Now?
The Flo Health lawsuit status in 2026 reflects a case that has moved through its most active litigation phase and into a post-settlement compliance and monitoring period. The civil class action settlement received judicial approval, concluding the monetary claims track. The FTC consent order, as revised in 2023, remains in active effect.
Flo Health has implemented the required privacy controls mandated by the consent order. The company updated its SDK integrations and revised its data-sharing practices following both the 2021 and 2023 regulatory actions. The consent order includes ongoing compliance monitoring, meaning the FTC retains authority to bring further enforcement if Flo violates the order's terms.
For potential claimants who missed the original filing window, the settlement fund has been distributed. New individual civil lawsuits remain theoretically possible, but any filer faces statute of limitations analysis that would need evaluation by a privacy attorney.
Attorney Insight: *Post-settlement monitoring orders like the one in Flo's case create a legal record that future plaintiffs in related or copycat cases against other health app developers can reference as an established standard of practice.*
2026 Case Status at a Glance:
| Proceeding | Current Status |
|---|---|
| Civil Class Action (3:21-cv-00757-JD) | Settlement approved and distributed |
| FTC Consent Order (Docket C-4747) | Active, as revised 2023 |
| New Individual Claims | Possible; statute of limitations analysis required |
| Ongoing FTC Monitoring | Active compliance oversight |
Flo Lawsuit Eligibility: The Basic Requirements
Flo lawsuit eligibility for the civil class action settlement was defined by the class definition approved by Judge Donato in the Northern District of California proceedings. The qualifying criteria tied directly to the app's use during the period of the alleged data-sharing conduct.
The class period ran approximately from 2016 through 2021, coinciding with the window during which Flo is alleged to have operated its SDK integrations in the manner described by the plaintiffs. Users who downloaded and actively used the app outside that window generally did not fall within the certified class.
Residency in the United States was required. The settlement class did not include international users, reflecting the domestic jurisdiction of the federal court proceedings and the U.S.-focused legal theories.
Attorney Insight: *In class action settlements, the class definition is a negotiated legal document. Attorneys representing class members always advise clients to read the class definition carefully because slight variations in usage dates or geographic status can determine whether a claim is valid or void.*
Basic Eligibility Requirements:
- U.S. resident at the time of app use
- Used the Flo Period and Ovulation Tracker app during approximately 2016 to 2021
- Health data may have been shared with one or more named third parties
- Did not opt out of the settlement class during the opt-out window
Who Qualifies for the Flo Lawsuit Settlement?
Who qualifies for the Flo lawsuit settlement depends on satisfying the class definition requirements and having submitted a valid claim form before the court-ordered deadline. The settlement class was broadly defined to reach the large user base Flo had accumulated during the class period.
Qualification did not require proof that a specific user's individual data was transmitted. The class theory was that the SDK configuration systematically transmitted data for all users in the class, meaning use of the app during the class period was itself the qualifying event.
Certain users were excluded from the class. Employees of Flo Health and their immediate family members, persons who had previously released claims against Flo, and the presiding judge and his staff were all carved out of the class definition, consistent with standard class action practice.
Attorney Insight: *Privacy class action attorneys note that "all-user" class definitions, where use of an app during a specific period is the sole qualifying criterion, tend to produce higher claims rates because claimants do not need to prove individualized harm to submit a valid claim.*
Who Qualified (Summary):
| Criterion | Requirement |
|---|---|
| Residency | U.S. resident |
| App usage period | Approximately 2016 to 2021 |
| Proof of individual harm | Not required; use of app during class period sufficient |
| Exclusions | Flo employees, prior releasors, judicial officers |
Flo Health Data Breach Lawsuit: Is This a Data Breach or a Privacy Violation?
The Flo Health data breach lawsuit framing requires a precise legal distinction. What occurred with Flo was not a data breach in the traditional cybersecurity sense. No external hacker gained unauthorized access to Flo's systems. No database was compromised.
What happened instead was an intentional, even if allegedly undisclosed, data-sharing practice. The company itself configured SDKs to transmit user health data to third parties. This is classified legally as an unauthorized disclosure or a privacy violation, not a breach in the sense that term carries under state data breach notification statutes.
This distinction matters for legal purposes. Traditional data breach claims rely on statutes that require notification when unauthorized third parties access personal data due to a security failure. Privacy violation claims, by contrast, rely on statutes and common law theories that address the defendant company's own conduct in sharing data without consent.
Attorney Insight: *Plaintiffs' attorneys in consumer privacy cases often face the challenge of clients who expect a "breach" framework when the actual legal claim sounds in disclosure without consent. The legal theories are different, the damages models are different, and the defendants' defenses are different.*
Data Breach vs. Privacy Violation:
| Category | Data Breach | Privacy Violation |
|---|---|---|
| How data left | Unauthorized external access | Intentional internal disclosure |
| Applicable law | State breach notification statutes | FTC Act, CCPA, consumer protection laws |
| Defendant's conduct | Failure to secure | Affirmative disclosure without consent |
| Flo case classification | Not applicable | Applicable |
Litigation Watch: *The Flo Health case is a privacy violation, not a cybersecurity breach. That distinction determines which legal theories apply, which statutes create liability, and how damages are calculated at both the federal and state levels.*
Flo Health Settlement: Key Terms of the Agreement
The Flo Health settlement, reached in the civil class action pending before Judge Donato in the Northern District of California, established the framework for resolving the monetary claims of the certified class. The settlement required Flo Health to make a $1,000,000 fund available for distribution to eligible class members.
In addition to the monetary fund, the settlement included significant non-monetary terms. Flo agreed to implement specific privacy controls, including enhanced consent mechanisms before sharing user health data with any third party, consistent with the requirements of the FTC consent order. The company committed to a compliance review period.
The settlement also included a provision for attorneys' fees and costs. Plaintiffs' counsel sought fees from the settlement fund, as is standard in common fund class action settlements. Courts evaluate fee requests against the fund size and the work performed.
Attorney Insight: *Attorneys who practice class action litigation note that in smaller settlement funds, like Flo's $1 million, the ratio of attorneys' fees to class member payouts comes under judicial scrutiny. Courts must balance compensating counsel for legitimate work against ensuring class members receive meaningful relief.*
Settlement Key Terms:
| Term | Detail |
|---|---|
| Settlement Fund | $1,000,000 |
| Non-Monetary Relief | Enhanced consent controls, privacy policy updates |
| Attorneys' Fees | Sought from settlement fund; court-approved amount |
| Claims Period | Defined window; now closed |
| Compliance Period | Ongoing under FTC consent order |
Flo Health Lawsuit Settlement Amount: How the Fund Breaks Down
The Flo Health lawsuit settlement amount of $1,000,000 represents the total civil settlement fund negotiated between plaintiffs' counsel and Flo Health, Inc. To understand what that number means in practice, it requires understanding how class action fund distributions work.
From the gross fund, the court first approves deductions for: attorneys' fees and costs, settlement administration costs (paying the claims administrator), and any service awards granted to named plaintiffs like Erica Frasco for their time and risk. These deductions can represent a substantial portion of the gross fund.
The net remainder is then divided among all approved claimants. In a case where tens of millions of users potentially qualify, a $1 million fund produces very small per-person amounts when distributed pro-rata across a large claimant pool. This is why the payout per person in the Flo case was modest.
Attorney Insight: *Settlement value analysis in privacy cases must account for the inherent tension between large eligible class sizes and fund amounts that may not scale proportionally. Attorneys advise clients that participation value in these cases is often dignitary and systemic rather than primarily financial.*
Fund Distribution Breakdown:
| Category | Estimated Share of Fund |
|---|---|
| Gross Settlement Fund | $1,000,000 (100%) |
| Attorneys' Fees | Court-approved percentage |
| Administration Costs | Deducted from gross fund |
| Named Plaintiff Service Awards | Small amounts, court-approved |
| Net Claimant Distribution | Remaining balance, divided pro-rata |
Flo Health Lawsuit Payout Per Person: What Claimants Actually Received
The Flo Health lawsuit payout per person reflects the mathematical reality of distributing a $1,000,000 net fund across a very large potential class. With Flo reporting over 100 million global users and millions of U.S. users during the class period, even with a subset filing valid claims, the per-claimant amount was small.
Settlement administrators typically calculate individual payouts after the claims window closes, at which point the total number of approved claims determines each person's pro-rata share. In cases with similarly sized funds and large class memberships, per-person payouts have historically ranged from a few dollars to amounts approaching $50, depending on claims volume.
For the Flo settlement, publicly available information indicates claimants received amounts in the range of low double digits per approved claim. Some settlements in similar cases structured payouts in tiers, with higher amounts for users who could document more significant personal impact.
Attorney Insight: *Privacy attorneys consistently advise prospective clients that the primary financial value of participating in a class action like Flo's is rarely the individual payout. The systemic value is the forced behavioral change by the defendant and the legal record it creates.*
Payout Context:
| Factor | Impact on Per-Person Payout |
|---|---|
| Gross Fund | $1,000,000 |
| Large eligible class | Reduces per-person share significantly |
| Fee deductions | Further reduces net distribution |
| Estimated per-claimant range | Low double digits for most claimants |
| Tier structures | Some settlements pay more for documented harm |
Litigation Watch: *The $1,000,000 Flo settlement fund, divided across a large U.S. user base, produced modest individual payouts, a pattern common in consumer privacy class actions where the systemic legal change the case produces carries more weight than the per-claimant dollar figure.*
How to File a Flo Health Lawsuit Claim in 2026
Filing a Flo Health lawsuit claim in 2026 for the original civil class action settlement is no longer possible. The claims filing window for the civil settlement closed in accordance with the court-approved schedule. Claimants who submitted valid forms before the deadline received their pro-rata distributions.
For individuals in 2026 who believe they have distinct or particularly serious harm arising from Flo's data sharing practices, separate individual legal options may still exist depending on state-specific statutes of limitations and the nature of the alleged harm. A privacy attorney can evaluate whether any viable individual claim survives under applicable state law.
California residents may have the strongest basis for continued individual analysis, given the California Consumer Privacy Act and the state's robust privacy enforcement framework. Illinois residents may have grounds under state consumer fraud statutes if they can demonstrate particularized harm.
Attorney Insight: *Attorneys who evaluate post-settlement individual claims in consumer privacy cases focus first on state statute of limitations, then on whether the plaintiff suffered documented, concrete harm beyond what the class settlement already compensated, since courts are reluctant to allow re-litigation of claims that were part of a certified and settled class.*
2026 Filing Options:
| Option | Status in 2026 |
|---|---|
| Original class action claims portal | Closed |
| Individual lawsuit (California) | Possible; attorney evaluation required |
| Individual lawsuit (Illinois) | Possible under state consumer law; attorney evaluation required |
| FTC complaint filing | Always available; no direct financial payout |
| Consult with privacy attorney | Recommended for documented significant harm |
Frequently Asked Questions
What is the Flo Health lawsuit about?
The Flo Health lawsuit is about the company's alleged sharing of users' reproductive and menstrual health data with third parties, including Meta and Google, without adequate user consent.
Two parallel legal proceedings addressed this conduct: an FTC enforcement action under Docket No. C-4747, and a civil class action filed January 28, 2021, in the Northern District of California under case number 3:21-cv-00757-JD.
Who qualifies for the Flo lawsuit settlement?
Qualifying class members are U.S. residents who used the Flo Period and Ovulation Tracker app during approximately 2016 through 2021.
No proof of individual data transmission was required; use of the app during the class period was the core qualifying criterion. The claims window for the original settlement has closed.
How much money can I get from the Flo Health settlement?
The gross settlement fund was $1,000,000. After deductions for attorneys' fees, administration costs, and named plaintiff service awards, the remaining balance was distributed pro-rata among approved claimants.
Per-claimant payouts were modest, estimated in the low double-digit dollar range for most approved claims, reflecting the large eligible class size relative to the fund.
Is the Flo lawsuit deadline still open in 2026?
The claims filing deadline for the original civil class action settlement has passed. Distribution to approved claimants has occurred.
Individuals with distinct documented harm may wish to consult a privacy attorney about whether separate individual claims under state law remain viable given applicable statutes of limitations.
Did Flo Health violate HIPAA?
Flo Health, Inc. is a consumer app developer, not a HIPAA-covered entity. HIPAA does not directly apply to Flo's conduct in the way it would apply to a hospital or health insurer.
The FTC regulated Flo's conduct under Section 5 of the FTC Act and the Health Breach Notification Rule, which together serve as the functional regulatory framework for consumer health apps outside HIPAA's scope.
Can I still sue Flo Health separately from the class action?
Class members who did not opt out of the settlement generally released their individual claims against Flo as part of the class settlement approval.
Individuals with documented harm who opted out, or who can demonstrate claims not covered by the class release, may have options. A privacy or consumer protection attorney in your state can assess whether any individual claim remains viable under applicable law.
Closing
The Flo Health case established that consumer-facing health apps carry genuine legal exposure when they transmit sensitive user data to advertising platforms without clear consent, regardless of whether HIPAA technically applies. The FTC consent order, as revised in 2023, created enforceable standards that now shape how regulators and plaintiffs' attorneys approach similar cases.
For anyone who used the Flo app during the class period and missed the filing window, the practical path forward is a conversation with an attorney who handles digital privacy or consumer protection litigation. State-specific remedies, particularly in California and Illinois, may present individual options worth evaluating.
The litigation record in this case, a named judge, a specific docket number, FTC enforcement under two consent orders, and identified data recipients, gives attorneys the documented foundation they need to assess related or follow-on claims efficiently.
