Mobile health apps diagnosed with data privacy concerns

20 July 2021

Venezuelan Jose Miguel Avendano, shows his application designed by him that allows locating health centers and hospitals as well as the most feasible route to reach them in the case of emergencies. (Photo by Yuri CORTEZ / AFP)

Things that were already difficult pre-pandemic were often made worse by the COVID-19 crisis, and that included those trying to seek outpatient treatment or counselling for physical and mental ailments, including substance abuse. At first, the rise of telehealth and mobile health apps offered a relieving alternative for many, but there is growing concern about how those apps are handling private data shared with them for clinical reasons.

The early onset of the pandemic saw a variety of telehealth services springing up, often with the caveat of loosened data-collection restrictions to enable emergency care by remotely-located health care providers, for patients who might be located in an entirely different area or even country.

While the burden of care was the primary focus in those early days, the explosion of mobile health services and apps for everything from filling prescriptions to seeking treatments has exposed how, like a great many mobile applications, health apps routinely collected user data and tracked users’ online movements (and with the aid of GPS geolocation data in your device, can track actual movements to boot).

When it comes to health apps, ‘user data’ is also patient data, and most of these apps do not share policies that remotely resemble doctor-patient confidentiality. New research by ExpressVPN’s Digital Security Lab in partnership with the Opioid Policy Institute and the Defensive Lab Agency, found that nearly all of the apps gave third parties, including Facebook and Google, access to user data.

“App-based approaches to public health problems have faced increasing scrutiny for lack of appropriate privacy and security. The Covid-19 contact tracing framework developed by Google was found to have substantial privacy issues, with Bluetooth identifiers stored in Android system logs,” reads the report’s introduction. “This follows a suspension of Norway’s contact tracing app, ranked alongside Kuwait and Bahrain for its location data leakage.”

The Digital Security Lab applied the same privacy and security-centered focus to ten smartphone health apps that dealt with opioid addiction and recovery, and found that for the most part, these apps were tracking unique identifiers of different devices, ranging from software-defined IDs to markers that indicate the user’s hardware and customer account with their cell service provider.

Also of note is the abundance of sensors on users’ smartphones these days, including accelerometers and ambient light sensors. When it comes to a privacy attack vector, “GPS, Bluetooth, and cell radio are commonly used for location tracking and Bluetooth, in particular, is on the rise as a channel for exfiltration of private user data,” states the ExpressVPN report.

These can work in concert with the prevalence of internet of things (IoT) devices and sensors which are ever-increasing in the world, such as sensors from security cameras and even motion sensors on roads, to create a bespoke profile of the user, and perhaps their family and close associates as well, if there is enough data.

“Many of the apps we studied gather location information in some form, relying upon a mix of GPS, mobile network/cell radio, and Bluetooth technology,” notes the study. “This location information, especially when correlated with unique identifiers, strengthens the capability for tracking an individual person who is carrying the smartphone, their daily habits and behaviors, and even pinpointing their friends and family.”

The report highlights how health apps can collect some of the most personal data, data which might otherwise be expected to be treated with the utmost secrecy, and share it with third-parties including other platforms, advertisers, and sometimes, even unknown parties.

The findings mirror similar findings by the British Medical Journal that carried out in-depth analysis of over 20,000 mobile health apps on the Google Play Store, and found that 88% of them used tracking identifiers and cookies to track users’ activities. 28% of those apps did not have a privacy policy of any sort listed in the Play Store.

The BMJ research did, however, commend the European General Data Protection Regulation, “which has improved transparency around apps’ data collection and sharing practices and requires specific measures to ensure active consent to data sharing”. On top of these statistics, researchers also found only 1.3% (3,609) of user reviews raised concerns about privacy, but that awareness around the security situation of such health apps is growing.