Privacy Risk With Popular Health Apps

Do you practise health measuring apps daily ?

Mobile health apps are a booming market targeted at both patients and health professionals. Medicines-related apps help patients track their prescriptions and remember to take their pills. They also provide drug information to help clinicians prescribe and administer medications. However these apps also pose unprecedented risk to consumers' privacy given their ability to collect user data, including sensitive information that is highly valuable to commercial interests, new research demonstrates.

Published in BMJ today, the research team from the University of Sydney, the University of Toronto and University of California set out to investigate if and how user data is shared by top rated medicines-related mobile apps. It also sought to characterize privacy risks to app users, both clinicians and consumers. The researchers found sharing of user data by medicines-related apps is routine but far from transparent, and also identified a small number of commercial entities with the ability to aggregate and potentially re-identify user data. "Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services," said lead author Assistant Professor Quinn Grundy of the University of Toronto and University of Sydney School of Pharmacy, Charles Perkins Centre.

How data is shared ?

The research team identified 24 top rated medicines related apps for the Android mobile platform in the United Kingdom, United States, Canada, and Australia. All apps were available to the public; provided information about medicines dispensing, administration, prescribing, or use; and were interactive. They ran laboratory-based traffic analysis of each app downloaded onto a smartphone, simulating real world use with four dummy scripts. Privacy leaks were detected using a technique called Differential Traffic Analysis, explained co-author Dr Ralph Holz from the University of Sydney's School of Computer Science. Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data. While it's unclear if iOS apps share user data and if medicines-related apps share user data more or less than other health apps, or apps in general the findings remain of concern said Assistant Professor Grundy.

“Most health apps fail to provide privacy assurances or transparency around data sharing practices," she said.

User data collected from apps providing medicines information or support may also be particularly attractive to cybercriminals or commercial data brokers. "Health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent.

"Regulators should also emphasize the accountabilities of those who control and process user data, while health app developers should disclose all data sharing practices and allow users to choose precisely what data are shared and where."