Are Mobile Healthcare Apps Jeopardizing Your Privacy?

For many people, it doesn’t come as much of a surprise that any online technology carries massive risks to our privacy. In fact, it has long been a topic covered in documentaries, debates, and even fictional movies. The data our phones collect through various apps and social media sites tracks hundreds of different data points that are then analyzed or sold to various marketing companies in order for them to better understand you – at least enough to tailor their ads to you for maximum effectiveness. However, this invasive strategy may also be being exploited to gather priceless information about our health.

What Information Is Collected & How

There are thousands upon thousands of apps available today that center on health, fitness, and medical care. The information being tracked and collected largely depends on the app being used and its intended function, but many health apps collect information such as:

• Your locations
• Your diagnosed conditions
• Your symptoms, as well as their frequency and severity
• What medications and supplements you take
• Care summaries from physician appointments
• Fertility and menstruation cycles
• Your mental/emotional health and struggles
• Your vaccination records
• Your tracked vitals or body measurements
• Your health-impacting habits (sleep, diet, exercise, etc.)
• Whether you drink or smoke
• Your web browsing and social media history, behaviors, and interests
• Your login information, email addresses, and/or phone number

Despite the sensitivity of the private health information being collected, the practice of harvesting data is almost as pervasive in medical health apps as in any other type of app. One study from Macquarie University found that 88% of the medical, health and fitness apps listed in just the Google Play Store are designed to harvest user data. (Tangari et al., 2021) During the same study, researchers intercepted data being transmitted from over 15,000 free health apps to 665 different third parties. (Tangari et al., 2021) All but 28% of the apps studied included some sort of privacy policy, however, roughly a quarter of the apps violated the terms of their privacy policies by transmitting user data. (Tangari et al., 2021)

Even if an app isn’t outright collecting and selling your data, anything involving such a wealth of valuable information is inevitably going to be subjected to data leaks or security breaches at some point or another. A report that studied the 30 most popular medical health apps available found that the apps were highly susceptible to attacks that allow unauthorized users to access your medical records, collected data, and other personally identifiable information (PII). (Chmielewski, 2021)

Why This Practice Is Harmful

While collected health information can be used in positive ways, such as to help the developers improve the app or allow them to connect you with resources specific to your diagnosed conditions, there will always be potential for that information to be exploited or used in discriminatory ways.

Yet another study performed in Canada raised some particularly troubling concerns. (Grundy et al., 2019) For starters, the laws that typically safeguard your protected health information (PHI) from a legal perspective actually don’t apply to medical apps. Another concern the researchers cited is the possibility that this information will make its way into our overall health scores, which are used by life and health insurance companies to determine how much it costs to insure you, thus making your insurance policies less affordable and accessible. Patient information has also historically been used by medical care cost-cutting systems in ways that have made access to medical care even more disproportionate. (Grundy et al., 2019)

Going even further, the study revealed that third parties then sold information to fourth parties, many of which couldn’t even be classified as belonging to the medical or healthcare industries whatsoever. (Grundy et al., 2019) The fourth parties noted by the researchers included multinational tech companies, digital advertising companies, telecommunications companies, and consumer credit reporting agencies.

The lead author of the report, Quinn Grundy, Ph.D., had this to say about the even further-reaching ramifications of the collection and use of patient data: “This, I think, is the world of algorithms, where user data is packaged, analyzed, and sold as a product that can be used to make decisions about things from whether someone should rent to you, or employ you, or give you benefits, and I think we’re seeing those sorts of products increasingly used.” (Grundy et al., 2019)

Protecting Your Privacy

Needless to say, many of these medical and health apps are so popular for a good reason – they can be incredibly helpful tools for tracking, understanding, and optimizing our healthcare experiences. If you’re currently worried about whether you’ll have to delete your favorite or most helpful apps, don’t fret. While deleting them is an option, it’s not the only available option for protecting your information.

So, what can we do about this? How do we go about protecting our privacy? Here are some steps you can take:

• Opt for apps that are more likely to fall under privacy laws and protections, such as apps offered directly by your physician's office.
• Be wary of apps that are free or ad-supported. Though these apps come at no monetary cost, they often come at the expense of user privacy because they harvest and sell user data to stay afloat.
• Read the privacy policies of every app you use. More specifically, you’ll want to check whether or not their policy says anything about sharing your data with third parties. While there’s no guarantee that they will adhere to their own privacy policies, this can help you identify possible red flags. If they don’t have a privacy policy at all, or if their policy doesn’t explicitly state whether or not they share your data, that app is likely not a safe option.
• Re-read the privacy policies at regular intervals. Policies that currently claim they don’t share user data can change at any point in the future.
• Pay attention to the permissions that apps request access to and ask yourself whether it even makes sense for the app to need those permissions to function properly. For example, an app you use as a symptom tracker doesn’t necessarily need to know your current GPS location, enable your microphone, or access your contact list.
• Familiarize yourself with and adjust your phone’s privacy settings - including location services, tracking across various apps, app permissions, data your phone collects for analytics and improvement, and settings regarding personalized advertisements.

Regardless of what we do on our end, it’s important to advocate for change and accountability when it comes to how apps are created, regulated, and marketed. We need to fight for more safeguards to be put in place to better protect consumer data and health information.

*Note: I originally wrote and published this article as a Living Rare editorial and has been shared here with permission from the Living Rare editorial board. To view the original article or read more Living Rare editorials, click here.

References and Resources

Chmielewski, D. (2021, February 9). Mobile health apps systematically expose PII and phi through APIs, new findings from Knight Ink and Approov Show. Business Wire. Retrieved May 15, 2022, from https://www.businesswire.com/news/home/20210209005461/en/Mobile-Health-Apps-Systematically-Expose-PII-and-PHI-Through-APIs-New-Findings-from-Knight-Ink-and-Approov-Show

Grundy Q, Chiu K, Held F, Continella A, Bero L, Holz R et al. Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis BMJ 2019; 364 :l920 doi:10.1136/bmj.l920

Tangari G, Ikram M, Ijaz K, Kaafar M A, Berkovsky S. Mobile health and privacy: cross sectional study BMJ 2021; 373 :n1248 doi:10.1136/bmj.n1248