Health apps frequently neglect privacy of users, study finds

The study involved a collaboration of researchers from the University of Pireus, Greece, and Rovia I Virgili University, Spain, who are working to develop improved solutions to protect European citizens’ online privacy.

The researchers looked at 20 free apps available on Google Play, all of which had been downloaded between 100,000 and 10 million times and had a minimum rating of 3.5/5. They studied how the apps stored and monitored personal data, such as information about past health conditions.

Of the apps analysed in the study, 80 per cent shared health-related data to third-party companies, with the other 20 per cent storing data on the users’ phones. This data included text as well as images, such as X-rays.

Only half of these apps shared this data securely, using https connections to manage user login. More than half of the apps transmitted data using URL links: this made the data potentially accessible to anybody who could gain access to those links.

20 per cent of the apps did not refer users to a privacy policy or failed to do so in the language of the app. Some of the health apps required access to camera and microphone, contacts list, external storage, Bluetooth and location, despite their functionality not being dependent on this access.

According to the study, the majority of the apps did not meet legal requirements or standards intended to protect users from inappropriate data use and disclosure to third parties.

“We strongly support the use of mobile health apps, but users must know that apps’ popularity does not ensure privacy and security,” said Professor Agusti Solanas of Rovira I Virgili’s department of computer engineering and mathematics.

In the second part of the study, Solanas and his colleagues approached the apps' developers with their findings. While some of these issues were subsequently fixed – including insecure health data transfers and the failure to anonymise patients due to data transfers to third parties – many other issues were neglected in spite of their warnings.

“People need to become more aware of the risks they are facing [using health apps],” said Dr Solanas.

The issue of health data being shared insecurely has been a concern for years. It has been reported that UK doctors frequently use their phones to share personal health data with their colleagues, including sending text and pictures via SMS to request their professional opinion. In 2015, the NHS was forced to remove health apps from its library of accredited apps after they were found to be leaking patients' medical details online.