That fitness app on your phone that counts your steps or logs your weight loss may be unhealthy for your privacy. There’s a growing body of evidence that health and fitness apps lack suitable safeguards to protect users’ private health and medical information.
A 2014 study found that less than a third of the 600 most popular mobile health apps had privacy policies. Of those that did, two-thirds of the privacy didn’t address the app itself. Another study this year found that four out of five diabetes apps available for Android phones had no privacy policies. Of the 41 apps that did, 80 percent still collected user data and almost half shared data. Only four policies stated that permission was needed from the user before data was shared.
“I believe our findings apply to the majority of health and fitness apps on the market,” says Sarah Blenner, one of the authors of the study. “Like diabetes apps, health and fitness apps collect many types of information, including intimate details.”
Medical information is typically protected by the Health Insurance Portability and Accountability Act, or HIPAA. The act applies to certain types of entities such as health plans, health care clearinghouses and health care providers. But health and fitness apps are not covered.
Many apps also require excessive permissions to information on your phone before downloading them. For example, one app that only displays recipes required permissions to find user accounts on the phone; read and modify contacts; read the calendar; track the user’s GPS location; make phone calls; read and modify the call log; test access to and modify external storage; obtain the device ID; activate the camera and microphone; and install and delete other applications, Blenner says.
All this information can be sold to third parties like advertisers and data aggregators, which in turn, can come back to haunt users.
“Mobile devices are all building this sort of surrogate version of your health life completely outside of the regulation of HIPAA,” said Nicolas Terry, a law professor, testifying last month at a House subcommittee hearing on health care apps. “And it is being sold back to insurers and employers as body scores or health scores, which are potentially extremely discriminatory.”
There’s even more risk to consumers. Much of the data that’s transmitted to third parties is done in sloppy ways. A 2013 study found that only 6 percent of free health apps and 15 percent of paid ones always used encrypted SSL connections when sending private information to third parties. That’s a hacker’s dream.
“Personal health information is a prime target for hackers, and breaches of this type of information in recent years have been devastating for consumers,” Rep. Frank Pallone (D-NJ) said in a statement at the subcommittee hearing. “Healthcare data contains addresses, Social Security numbers, in addition to diagnosis and prescription history. The more apps that handle this information, the greater the risk of a privacy breach for consumers.”