While mHealth apps collect and share user data less often than other types of apps, researchers say these apps have serious privacy problems
As consumer health apps continue to increase in popularity, so do experts’ fears over user privacy.
“Our results show that the collection of personal user information is a pervasive practice in mHealth apps, and not always transparent and secure,” the researchers said in the study. “Patients should be informed on the privacy practices of these apps and the associated privacy risks before installation and use.”
Through their analysis, researchers from Macquarie University in Sydney, Australia found that 88% of mobile health (mHealth) apps have the ability to collect and potentially share user data.
In comparison to other types of apps, mHealth apps collect and share user data less often, according to the study. Still, these mHealth apps collect a range of user information including contact information, user location and device identifiers for advertisements.
While only about 4% of the mHealth apps studied actually shared this user data – most often with third-party companies – there’s still reason to be concerned.
“This percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps, because some transmissions might not be triggered in automated app testing,” the researchers said.
Nearly 56% of data transmissions go to third parties, such as advertisers. Google-owned services were the most common third-party receivers of user information, according to the study.
Adding to the problem is a lack of transparency around mHealth apps’ data collection policies. Over a quarter of the apps had no indicators of their privacy policies and of those that did, at least 25% of user data transmissions violated what was stated in the privacy policies.
The researchers collected over 20,000 mHealth apps in the Google Play store by creating a crawler that searched through the app store.
Between October 1 and November 15, 2019, it searched through more than 1.7 million apps. mHealth apps account for 2% of available apps in the Google Play store.
The crawler also collected a random set of non-mHealth apps across the tools, communication, personality, and productivity categories to create a baseline comparison. This sample contained more than 8,000 apps.
From there, the research team analyzed the apps’ files and source code, network traffic generated during the execution of the app, and reviews provided by users of the apps.
The larger trend
This is far from the first time consumer privacy concerns related to digital health have been raised.
As a major source of where consumer data goes, Google’s acquisition of Fitbit led many to fear what the tech giant would do with user health and fitness data. In fact, prior to its approval, European regulators conducted a full-scale investigation into Google’s management of the data.
Consumer privacy concerns were top of mind throughout the COVID-19 pandemic, as the market was saturated with contact tracing and other related apps. Last May, Senate Republicans introduced a bill that seeks to increase transparency and ownership of personal health, geolocation, proximity and other related data collected by digital devices or systems during the COVID-19 public health emergency.
French independent health insurer Alan has attempted to curb these worries by partnering with data security company Tanker to bring end-to-end encryption to its telehealth chat platform.
On the record
“Mobile apps are fast becoming sources of information and decision support tools for both clinicians and patients,” the researchers said. “Such privacy risks should be articulated to patients and could be made part of app usage consent. We believe the trade-off between the benefits and risks of mHealth apps should be considered for any technical and policy discussion surrounding the services pr