Are Health Apps Putting Your Privacy at Risk?

A new study reveals that your personal info might be shared without your realizing it

Apps iStock-1072626580 iStock-911979038 iStock-660715084 iStock-604359096 iStock-510313636

Health apps may help you track your prescriptions, look up sickness symptoms, and measure your mood. But they may also pose “unprecedented risk to consumers’ privacy,” according to a new study published in the journal The BMJ.

The study authors identified 24 of the most popular or highly recommended medication-related Android apps in the Google Play store and found that 79 percent of them share user data in ways that may violate your privacy.

“We’re getting more and more of a sense that there isn’t any privacy anymore,” says Quinn Grundy, Ph.D., the lead author of the study, an assistant professor in the faculty of nursing at the University of Toronto, and an honorary senior lecturer in the school of pharmacy at the University of Sydney. But many people “still hold health data as a protected category” and aren’t comfortable with health-related information being shared.

More on Medical Privacy

Consumers have good reason to be uncomfortable, experts say, because sharing personal health information may lead to a variety of harms, such as restrictions on access to healthcare or life insurance.

“The information that consumers reveal to health apps can be especially personal and can also find their way into users’ health scores, which are used in insurance underwriting, and in other ways a consumer would not expect,” says Dena Mendelsohn, senior policy counsel for Consumer Reports.

And while you might assume that this information is legally protected the same way your hospital and medical records are, that’s not necessarily the case.

“People rely on health information being protected and do not realize that these safeguards do not apply to medical apps,” says Lori Andrews, Ph.D., a law professor and director of the Institute for Science, Law and Technology at the Chicago-Kent College of Law at the Illinois Institute of Technology.

Here’s what you need to know about the new study and about safeguarding the privacy of your health information.

What the Study Found

Grundy and her colleagues identified the 24 Android apps they studied by finding those that were frequently downloaded, ranked in the top 100 medical apps, or endorsed by prominent organizations.

They created dummy user profiles and ran the apps a number of times, checking to see what user information was shared outside the app and where.

The user data that was passed along varied from app to app but included users’ names, device names, locations, operating system version, web browsing behavior, medications, and email addresses.

That information was shared with app developers and their parent firms but also with outside or third-party companies that use consumer data for a variety of reasons, including sales and marketing.

In addition, the authors say, third parties could theoretically share this information with other entities, which they refer to as “fourth parties.”

Some fourth parties—such as Alphabet, Facebook, and Oracle—are large tech companies that may build profiles of users, often to target them with ads. Others identified by the researchers included digital ad firms, venture capital firms, and a consumer credit reporting agency.

The Ways This May Harm You

What could this kind of sharing of information mean for you?

For some people, being targeted with ads is irritation enough. But there are more troublesome possibilities.

Most privacy policies promise that they won’t share names or other personally identifiable data. Still, health apps often provide enough information to ultimately make users “completely identifiable,” says Andrews, who has studied the ways that diabetes apps and psychiatric apps share personal health data.

At that point, an insurance company or another entity might buy packages of data that reveal you have a medical condition that would make you more expensive to cover, for example. And that could affect your insurance coverage or costs.

“We don’t have a good reason to believe that insurance providers won’t use data about specific diagnoses in discriminatory ways, even if it’s not legal to do so,” says Kirsten Ostherr, Ph.D., medical humanities program director, a professor of English, and director of the Medical Futures Lab at Rice University. “A lot of the access to this data is taking place far from public view, and there isn’t accountability for it.”

This data could also harm people indirectly, Ostherr says. Systems designed to help cut medical costs have used patient information in ways that make access to medical care more unequal, she notes. And data collected from apps could exacerbate this, she says.

It could have other ramifications, too. “This, I think, is the world of algorithms, where user data is packaged, analyzed, and sold as a product that can be used to make decisions about things from whether someone should rent to you, or employ you, or give you benefits, and I think we’re seeing those sorts of products increasingly used,” Grundy says.

How to Protect Your Privacy

It’s hard to prevent apps from collecting data because there are few legal limitations on doing so. But you can do the following to reduce the risk that your information will be shared in inappropriate ways:

Read privacy policies. Check to see whether the health apps you use share data with third parties. If this isn’t spelled out in the policy, that may be a red flag, according to Grundy. (And check app permissions to see what sorts of information your apps are sharing.) Also, be wary of a policy that is convoluted, extremely long, or hard to understand. (Here’s more on how protect your privacy while using your smartphone.)

Reread privacy policies from time to time. Even companies whose privacy policies currently promise that they won’t share could change those policies in the future, Andrews says.

Know your privacy settings. “We recommend that consumers familiarize themselves with the privacy settings on their phones and within the app,” Mendelsohn says. She also advises carefully evaluating the permissions an app asks for—most medication-management apps, for instance, shouldn’t need access to your contacts, microphone, or location.

Choose apps wisely. Opt for apps from your health insurer or those that are directly linked to your doctor’s office. These are more likely to fall under privacy laws, Ostherr says.

Be wary of free or ad-supported apps. Free apps often exist simply to collect user data, according to Andrews, and ad-supported apps collect user data to target users with those ads. “The apps and services that are available for ‘free,’ users are still paying for that in other ways,” Grundy says. “It is really not a fair trade in terms of your personal data.”

Smartphone Privacy Protection

A smartphone can be an incredibly useful device—but what do all those apps do with your information? On the "Consumer 101" TV show, Consumer Reports expert Justin Brookman explains how you can protect your privacy.

Head shot image of CRO Health editor Kevin Loria

Kevin Loria

I'm a science journalist who writes about health for Consumer Reports. I'm interested in finding the ways that people can transform their health for the better and in calling out the systems, companies, and policies that expose patients to unnecessary harm. As a dad, I spend most of my free time trying to keep up with a toddler, but I also enjoy exploring the outdoors whenever possible. Follow me on Twitter (@kevloria).