Some concerned over privacy on period tracking apps following Roe v. Wade decision

Health data from virtually all period-tracking apps is not protected by HIPAA.

AUSTIN, Texas — Following the U.S. Supreme Court's decision to overturn Roe v. Wade, some Americans are wondering if they should delete their period tracking apps over privacy concerns.

Data in the cloud for period tracking apps is owned by the company that runs the app and can be subpoenaed by law enforcement and used to build a case against someone suspected of having an abortion. Additionally, a number of popular tweets claim that period tracking apps sell users' data.

When the SCOTUS draft opinion was leaked in early May, a tweet by attorney and activist Elizabeth McLaughlin went viral. In the tweet thread, McLaughlin explained that certain apps have a history of selling their users' information because they don't have to follow the same information policies that doctors do, including the Health Insurance Portability and Accountability Act of 1996, widely known as HIPAA.

The VERIFY team confirmed that health data from virtually all period-tracking apps is not protected by HIPAA. 

Now apps that say they will not sell users' information are going viral.

The app Stardust jumped to the top of the Apple App Store over the weekend. The app's creators say they will not sell users' information and, even if the government subpoenas Stardust, the company said there is a way to make sure users' information is safe.

"We are now the first period tracker to implement an end-to-end encryption," a Stardust spokesperson said in a TikTok, adding, "What this means is that if we get subpoenaed by the government, we will not be able to hand over any of your period tracking data. It is completely anonymized from your login data. We can't view it. You're the only person that can see this."

Stardust announced that the end-to-end encryption will go live on Tuesday, June 28, with the app's Android release and iOS update.

There are also other apps that are developed outside of the U.S. that do not sell users' data and would not be requested by the government to turn that data over.

