Data Privacy at Risk with Health and Wellness Apps

User Data Sold by Brokers, Privacy at Risk

In the last few years, the demand for mental health care skyrocketed, leading many Americans to rely on software-based virtual health and wellness apps. To register, users typically provide personal and medical histories and complete mental health assessments, similar to a doctor’s office visit. 

However, there is limited federal oversight to ensure data privacy. A 2023 Duke University report discovered data brokers selling information that identified individuals by their mental health diagnoses, such as depression, anxiety, and bipolar disorder. While many brokers removed personal details, some still included names and addresses of those seeking help. 

“We uncovered data brokers selling a range of data about all kinds of mental health conditions dealt with by Americans ranging from depression and anxiety to PTSD, OCD, people battling trauma, and even actually, people who had suffered strokes…”

– Justin Sherman, Senior Fellow, Duke Sanford School of Public Policy 

Below are some of the “key findings” discovered during the investigation:

• Out of the 37 data brokers contacted for this report, 11 were willing and able to sell mental health data, with unclear deidentification or aggregation practices.
• The 10 most engaged brokers advertised highly sensitive mental health data, including information on depression, ADHD, bipolar disorder, ethnicity, age, gender, and more.
• Pricing for mental health data varied, with one broker charging $275 for 5,000 aggregated counts, while others charged upwards of $75,000 or $100,000 per year for subscription access!
• Some brokers imposed data use limitations on the sale of mental health information, ranging from “single-use” to “multi-use” based on the firm and the product purchased.
• Upon examining privacy policies, it seems that data brokers are generally hesitant to provide their customers with access and transparency concerning the collection and modification of personal information.

Is Your Health Data Protected by Health Tracker Apps? 

The study carried out by Duke University found that, in some instances, names, addresses, emails, and even race and ethnicity data, along with the number of children in the household, were attached to the information. Most Americans assume their health data is always protected, but this is not the case.

Numerous companies not governed by strict health privacy regulations can legally collect, share, and sell such data. This allows advertising firms, pharmaceutical companies, and health insurance providers to access and use this data for purposes such as targeted advertising, consumer profiling, and potentially determining health plan pricing. 

In some states, like California, consumers can request that their information not be sold under specific circumstances, thanks to state privacy laws. However, not all states have such regulations, and no federal law is applicable nationwide.

The main issue is that most people are unaware that their data is being collected and sold in the first place. Furthermore, even if individuals were aware, identifying every data broker to request the cessation of data sales would be challenging. 

The obscurity of the market and the clandestine operations of many companies make it extremely difficult for consumers to take action without more robust privacy regulations from the government. 

Fitness Tracker Apps 

Data breaches can expose sensitive information from fitness trackers, which connect to users’ phones via Bluetooth and are vulnerable to hacking. Although not considered “health information” under federal or state laws, personal data from fitness trackers can be shared or sold to third parties like data brokers or law enforcement.

Additionally, some providers may use the collected data for ad revenue. To protect privacy, consumers should review the provider’s terms of service before purchasing a fitness tracker and ensure there’s an option to opt out of data sharing if desired. 

 Weight Loss Apps 

Privacy International estimates that the average weight loss app asks users at least 50 questions related to their mental and physical health as well as their medical profile. The organization discovered that many also actively shared all consumer data with analytics firms. 

In October 2020, Noom, a popular weight loss app, and a related consumer data analytics firm, faced a lawsuit accusing them of illegal wiretapping, eavesdropping, and invasion of privacy for tracking users’ actions on the app. A judge later dismissed the case.

Fullstory defended itself by stating that the weight loss app’s embedded script for collecting information was temporarily downloaded onto users’ devices and active only while connected to the website, being deactivated or deleted afterward. Yet, despite the lawsuit’s outcome, the legal challenge highlights concerns over this kind of commercial data sharing.  

Period Tracker Apps 

Using menstrual cycle tracking apps can provide useful predictions, but they also collect sensitive data, potentially even more than users realize. These apps may gather information about sexual activity, pregnancy attempts, and miscarriages.

In 2020, Consumer Reports found that five popular period tracker apps stored users’ data in the cloud without guaranteeing that it wouldn’t be shared with third parties. 

Privacy concerns have risen as this data could be used to target users with ads, impact life insurance coverage, or loan interest rates. With the overturning of Roe v. Wade, users may worry that fertility and period data could be used against them as evidence of abortion in legal proceedings. This data could also expose people to civil liability in states like Oklahoma and Texas. 

Consumer Reports’ Digital Lab evaluated four privacy-focused period tracker apps: Drip, Euki, Lady Cycle, and Periodical. They looked for two key privacy features: local data storage and no third-party tracking services.

Comparing these to four other popular apps, they recommended Drip, Euki, and Periodical, which provide these privacy protections. 

Are Mobile Health Apps Regulated?  

If you’re concerned about privacy, especially after Google’s acquisition of Fitbit, it’s essential to monitor where your health and fitness data goes and who has access to it. Wired magazine recently ran an audit to see if wellness data is kept private or shared only by choice. Here’s a look at what their study found as it relates to some of the most popular health tracker apps. 

Apple Health 

For Apple Health, ensure your data is encrypted, and review permissions for linked apps. You can disconnect apps and delete data shared with Apple Health. Check data sharing with others and remove friends if necessary. Disable Fitness Tracking in iOS Settings to block Apple Health’s access to phone sensors. 

Google Fit 

Google Fit’s privacy policy covers data collection, and you should also review the policies of connected apps. In the Google Fit app, disable activity tracking and location logging. Manage connected apps to revoke permissions. Google Fit can be uninstalled if you want to stop data collection. 

Fitbit 

To find out more about data privacy practices, review Fitbit’s privacy policy and manage the visibility of your profile. And if, you’re concerned about data collection and targeted advertising disconnect third-party apps from your device and delete your Fitbit account. 

Does HIPPA Apply to Apps? 

When it comes to mobile apps, HIPAA may apply if the app is developed, managed, or used by a covered entity or a business associate, and if the app handles PHI. For example, if an app is used by a healthcare provider to store, process, or transmit PHI, such as patient records, appointment details, or prescription information, it would likely be subject to HIPAA regulations. 

However, not all apps that collect or deal with health-related information are subject to HIPAA. Apps that are designed for individual use and do not involve a covered entity or business associates, such as fitness trackers or personal health diaries, may not be subject to HIPAA. 

Ultimately, determining whether an app is subject to HIPAA will depend on its specific use case and the relationship between the app developer, the users, and any covered entities or business associates involved. Developers of health-related apps should carefully assess their obligations under HIPAA and ensure that their app is compliant if necessary. 

Related article: Learn more about the HIPAA Privacy and Security Rule. 

Does Our Healthcare App Need to be HIPAA-Compliant? 

A healthcare app needs to be HIPAA-compliant if it deals with protected health information (PHI) and is used by a covered entity or business associate. Covered entities include healthcare providers, health plans, and healthcare clearinghouses, while business associates are third-party companies that access, store, or transmit PHI on behalf of a covered entity. If an app manages, stores, or transmits PHI for these organizations, it must adhere to the privacy and security rules established by HIPAA to safeguard patient data. 

Is an App Considered a Medical Device? 

Based on the FDA’s definition, an application is deemed a medical device if utilized in detecting, curing, mitigating, treating, or preventing diseases. 

Related article: HIPAA Compliance & Cell Phones: Staying Compliant While Staying Connected. 

The surge in demand for mental health care during the pandemic has led to increased reliance on health and wellness apps. While these apps offer support and convenience, they also raise significant data privacy concerns. The lack of robust federal regulations leaves users vulnerable to having their personal health information sold or shared by data brokers and third parties.  

This affects targeted advertising and consumer profiling and may also have implications on health plan pricing and legal liabilities. It is crucial for users to be vigilant about the apps they use, review privacy policies, and stay informed about their rights under state and federal laws. Ultimately, more comprehensive privacy regulations and increased public awareness are needed to ensure the protection of consumers’ sensitive health information. 

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.