Health apps may help you track your prescriptions, look up sickness symptoms, and measure your mood. But they may also pose “unprecedented risk to consumers’ privacy,” according to a new study published in the journal The BMJ.
The study authors identified 24 of the most popular or highly recommended medication-related Android apps in the Google Play store and found that 79 percent of them share user data in ways that may violate your privacy.
“We’re getting more and more of a sense that there isn’t any privacy anymore,” says Quinn Grundy, Ph.D., the lead author of the study, an assistant professor in the faculty of nursing at the University of Toronto, and an honorary senior lecturer in the school of pharmacy at the University of Sydney. But many people “still hold health data as a protected category” and aren’t comfortable with health-related information being shared.
Consumers have good reason to be uncomfortable, experts say, because sharing personal health information may lead to a variety of harms, such as restrictions on access to healthcare or life insurance.
“The information that consumers reveal to health apps can be especially personal and can also find their way into users’ health scores, which are used in insurance underwriting, and in other ways a consumer would not expect,” says Dena Mendelsohn, senior policy counsel for Consumer Reports.
And while you might assume that this information is legally protected the same way your hospital and medical records are, that’s not necessarily the case.
“People rely on health information being protected and do not realize that these safeguards do not apply to medical apps,” says Lori Andrews, Ph.D., a law professor and director of the Institute for Science, Law and Technology at the Chicago-Kent College of Law at the Illinois Institute of Technology.
Here’s what you need to know about the new study and about safeguarding the privacy of your health information.
What the Study Found
Grundy and her colleagues identified the 24 Android apps they studied by finding those that were frequently downloaded, ranked in the top 100 medical apps, or endorsed by prominent organizations.
They created dummy user profiles and ran the apps a number of times, checking to see what user information was shared outside the app and where.
The user data that was passed along varied from app to app but included users’ names, device names, locations, operating system version, web browsing behavior, medications, and email addresses.
That information was shared with app developers and their parent firms but also with outside or third-party companies that use consumer data for a variety of reasons, including sales and marketing.
In addition, the authors say, third parties could theoretically share this information with other entities, which they refer to as “fourth parties.”
Some fourth parties—such as Alphabet, Facebook, and Oracle—are large tech companies that may build profiles of users, often to target them with ads. Others identified by the researchers included digital ad firms, venture capital firms, and a consumer credit reporting agency.
The Ways This May Harm You
What could this kind of sharing of information mean for you?
For some people, being targeted with ads is irritation enough. But there are more troublesome possibilities.
Most privacy policies promise that they won’t share names or other personally identifiable data. Still, health apps often provide enough information to ultimately make users “completely identifiable,” says Andrews, who has studied the ways that diabetes apps and psychiatric apps share personal health data.
At that point, an insurance company or another entity might buy packages of data that reveal you have a medical condition that would make you more expensive to cover, for example. And that could affect your insurance coverage or costs.
“We don’t have a good reason to believe that insurance providers won’t use data about specific diagnoses in discriminatory ways, even if it’s not legal to do so,” says Kirsten Ostherr, Ph.D., medical humanities program director, a professor of English, and director of the Medical Futures Lab at Rice University. “A lot of the access to this data is taking place far from public view, and there isn’t accountability for it.”