How secure is the user information collected by mobile health applications and fitness trackers? Perhaps not as secure as consumers would like to believe.
According to a report published in February in the Wall Street Journal, several health apps have been sharing personal data with Facebook without users’ knowledge.
“Health apps and trackers may be silently siphoning personal data — food preferences, body weight, sleep data, heart rhythm, steps taken, menstrual cycles, as well as vital signs — and transferring this data to entities such as Facebook without your knowledge or permission,” says Robert Glatter, MD, a physician in the department of emergency medicine at Lenox Hill Hospital in New York City.
One app allowed Facebook to see if a user had engaged in sexual activity, while another shared information on whether a person needed to work on losing “belly fat.”
The newspaper specifically named Flo Period and Ovulation Tracker, Glucose Buddy, Breethe Sleep and Meditation, Lose It!, Weight Loss Fitness by Verv, BetterMe Weight Loss Workout, GetFit Home Fitness and Workout, Instant Heart Rate HR Monitor, and BetterMen Fitness Trainer.
Since the report came out, at least the first four apps in this list have stopped sending information to Facebook. One of the companies, Flo, issued a statement saying, in part: “We have initiated a comprehensive external audit on the data privacy matter and will inform users if any further changes are going to be enacted.”
Meanwhile, New York State has launched its own inquiry, contacting Facebook for more details on how this data is being collected and distributed. New York’s governor, Andrew Cuomo, has called the data-sharing practice “an outrageous abuse of privacy.”
Facebook is cooperating with state regulators and alerting the apps to stop sending the social media company this data, according to the Journal.
A Growing Threat to Privacy
The revelation that health apps may be quietly distributing these personal particulars is the latest incident in a disturbing trend.
A study published in March 2016 in the Journal of the American Medical Association (JAMA) warned that diabetes-related apps had been routinely gathering sensitive medical details and transmitting them to third parties.
“App users often don’t realize their information is being shared,” says the lead author of the JAMA paper, Sarah Blenner, MPH, the director of field studies with the department of community health sciences at UCLA’s Fielding School of Public Health. “Once health information has been shared, there is no taking it back — the information is no longer private, and it is essentially impossible to regain control.”
Blenner cautions that this data from health apps and trackers can be used against individuals to deny them a job interview or insurance.
“The person might never realize that opportunities were missed because information was leaked from a health app,” she says.
Advertisers may also acquire this information to target individuals with specific products that supposedly appeal to their preferences.
“It’s vital to read the fine print when you sign up for an app, to better understand their specific data-sharing policies,” says Dr. Glatter. “Many apps, however, may not outwardly make this information available, so you may have to do some digging to get better clarification.”
Taking Measures to Secure Personal Data
Generally, mobile health apps are not required to protect the privacy and security of an individual’s health information in the same way that a physician must. These apps are not directly subject to federal medical privacy regulations as set forth in the Health Insurance Portability and Accountability Act (HIPAA). This is true even if the apps “handle or store an individual’s health information.”
In a 2016 report examining this topic, an American Medical Association council wrote that “patient privacy and data security need to be a priority in the digital health space, as mobile apps and devices can be subject to privacy and data breaches.”
The AMA estimated that there are more than 165,000 health apps available to consumers. The organization recognizes that health apps have the potential to improve health outcomes, but while some are subject to federal regulation, many “do not undergo rigorous evaluation before deployment for general use, which raises quality and patient safety concerns.”
The AMA is playing a leading role in developing guidelines to assess the privacy, security, safety, and effectiveness of mobile apps through a collaborative effort called Xcertia.
In addition to the AMA, Xcertia includes more than two dozen organizations, such as the Mayo Clinic, the App Association, and the American Heart Association. Xcertia is giving the public the opportunity to comment on and help shape these guidelines through May 15, 2019.
A Worthwhile Trade-off?
While some of his patients have expressed worries about the security of their Fitbits, smart watches, and other mobile gear, Glatter doesn’t see them giving up their electronics.
“Many patients who have embraced such technology may be reluctant to abandon their devices,” he says. “Their digital addiction may be stronger than their concern for data sharing or the potential for hacking.”
Even with the concerns surrounding privacy, Glatter embraces apps that track fitness, motivate people to adhere to an exercise or diet plan, improve physical performance, and monitor sleep and vital signs.
“This is valuable information that can provide a snapshot of the current state of your health and provide motivation and rationale to make lifestyle changes to improve fitness and improve longevity,” he says.