The pitch: Health apps for users who are battling depression or want to quit smoking.
The problem: Many of the apps designed to track a user’s progress are sharing the personal details they collect with third parties, such as Google and Facebook, without consent.
That’s according to a study published this month in the journal JAMA Network Open. Researchers say the findings are especially important in mental health, given social stigmas and the risks of having sensitive information shared unknowingly. And since many health apps aren’t subject to government regulation, researchers say, consumers and clinicians must contend with what information is being entered into these apps — and who else can access it.
“Digital data doesn’t go away,” said John Torous, a co-author of the report. “A part of the risk is that we don’t fully know who is going to put this data together, when and where it’s going to show up again and in what context. … Data seems to end up in the hands of the wrong people more and more.”
Torous heads the digital psychiatry division at a Harvard Medical School-affiliated teaching hospital, where he also is a staff psychiatrist and a faculty member. He said there needs to be a “wake-up call” in the digital health field because, “We can’t treat people’s personal data like it’s the personal property of these app developers.”
The study tracked three dozen apps targeted at people with depression or who want to quit smoking, and found that only a third of them accurately conveyed that data would be accessed by a third party. The study looked at the top-ranked apps for depression and smoking but didn’t identify them.
Data brokers then aggregate this deidentified health information and sell it to third party buyers; for example Adam Tanner of the Harvard Institute for Quantitative Social Science estimates that a large pharmaceutical company might pay between $10 million and $40 million per year for data, consulting and services from Iqvia alone.
So not only did most apps share data, most gave users no indication sharing was a possibility.
Privacy is a recurring question in the digital realm. Earlier this month, The Washington Post reported that data compiled by popular period- and pregnancy-tracking apps often are not confined to users. Rather, apps such as Ovia give employers and health insurers a lens into users’ personal information about pregnancy and childbirth — often under the umbrella of corporate wellness.
In the case of Ovia, for example, employers who pay the apps’ developer can offer their workers a special version of the apps that, in turn, transmits health data — in an aggregated form — to an internal company website that can be viewed by people in human resources.
55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies (first parties) and service providers (third parties). 37 (67%) provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.
Data and privacy issues among health apps often stem from their business models, the researchers wrote. Because many insurers don’t cover these apps, developers typically have to sell subscriptions or users’ personal data to stay viable.
The apps in the study didn’t transmit data that could immediately identify a user, Torous said. But they did release strings of information “that can begin the process of re-identification.” If, for example, those strings get sent to Facebook analytics, Torous said, then the question becomes, “Who is putting this all together and who gets to access this?”
But technology has moved on in the intervening time, and there are now other ways to keep an eye on employees , as an article in the Washington Post describes: Devices worn on employees’ bodies are an increasingly valuable source of workforce health intelligence for employers and insurance companies.
“We’ve seen enough stories that … there’s value in (the data), or else the app makers wouldn’t be sending them off,” Torous said. “And the bigger point is that (the apps) weren’t even disclosing it.”
With the rise of health and wellness apps, it can be confusing for users to distinguish between products that explicitly offer medical care, and those that don’t. But many health apps label themselves as “wellness tools” in their policies to get around legislation that mandates privacy protections for user data, such as HIPAA, the researchers wrote.
Torous gave the example of apps that address “stress and anxiety, or mood and depression.”
“In mental health, it’s a blurry line between what’s critical care and what’s self help,” he said.
Torous suggested a few ways to screen for reliable — and secure — apps. Carefully read the privacy policies. Check whether an app has been updated in the past 180 days and, if not, move on. Try to gauge whether you trust the app developer.
For example, Torous said, mental health apps developed by the Department of Veterans Affairs clearly say that user data isn’t transmitted elsewhere. And while the apps are generally geared toward veterans, the tools can often apply to others. The Food and Drug Administration, along with other international governments and agencies, are also developing ways to make health apps and other digital health tools more private and secure.
“Certainly if you’re sharing a lot of information about your mental health, and the app is not actually helping you, why put yourself at risk?” Torous said.