This article has been updated with a statement from Bicycle Health.
Several previous reports have raised privacy concerns in mobile health apps, particularly around data shared with third-party advertisers and analytics providers. Even in apps that offer opioid use disorder treatment that should provide additional privacy, the same problems persist.
An analysis of 10 addiction treatment and recovery apps found that almost all of them access sensitive user data and share it with third parties. The report was produced by ExpressVPN’s Digital Security Lab in collaboration with the Opioid Policy Institute and the Defensive Lab Agency.
During the height of the pandemic, more patients turned to virtual treatment as in-person clinics closed and telemedicine regulations were temporarily relaxed. ExpressVPN analyzed 10 apps that were installed 180,000 times. Many of them have been raising funds lately as well.
The list of apps includes:
- Bike health
- Boulder care
- Trustworthy health
- DynamiCare health
- Kaden health
- Pear Reset-O
- Sober grid
- Workit health
While people would expect an app-based visit to offer the same level of privacy as a personal clinic, often it doesn’t.
For example, seven of the ten apps provided Google with the advertising ID of the users. This is a “big deal” because it is a unique identifier, said Sean O’Brien, senior researcher at ExpressVPN’s Digital Security Lab.
“An advertising pass has nothing to do with clinical care. It shouldn’t be there, ”said Jonathan Stoltman, director of the Opioid Policy Institute, in a telephone interview. “If I walk into an addiction clinic and sign up for the day and give all of this information to Google, that’s way beyond what a medical facility would do. Patients have reasonable expectations that this will not happen. “
Other identifiers have also been used, such as a request to access location data or Bluetooth connections. Seven of the apps requested location information, and three of them contained SDK trackers from Facebook Analytics.
Other, less obvious requests had privacy implications. Two apps, Bicycle Health and Kaden Health, were able to access a list of all installed apps. Kaden also had the option to share various types of information with the payment provider Stripe, including user location, IP address, and phone number.
Loosid Health, a sober app that claims to have 100,000 users, had access to phone numbers, carriers, locations, and IP addresses.
In a statement sent via email, Bicycle Health CEO Ankit Gupta wrote that the company’s app only uses data that is necessary for safe treatment.
“We are carefully evaluating our partnership with our SDK provider Branch and looking into potential issues related to the collection of advertising identification data,” he wrote. “We do not expect any risks to the privacy of our customers.”
Kaden Health and Loosid Health did not respond to requests for comment at the time of publication.
Some of these cases can be the result of embedding third-party code without verifying what information is actually being shared.
“I don’t want to attribute malice to the developers. It’s entirely possible that the decisions they made from a software development perspective, or the contractors they hired to develop the app, made those decisions and therefore their data is at risk, ”said O’Brien. “Why a problem in this context: It is very private, very sensitive information that would normally not be passed on in a clinical setting.”
It’s also worth noting that there were a few exceptions. PursueCare has not disclosed any known personal information to third parties, according to the report. While the Pear Therapeutics Reset-O app had the ability to access users’ phone numbers and carriers, it did not request any other permissions.
Although, like other health apps, these patients should be protected by federal data protection laws, there is some ambiguity. In addition to HIPAA, all information related to the treatment of substance use disorders should be subject to additional confidentiality protection under 42 CFR Part 2. A patient’s advertising ID would qualify as proprietary health information under these two health laws, according to Jacqueline Seitz, a senior health privacy attorney at the Legal Action Center.
“It’s more about finding out whether these laws apply to information at all,” wrote Seitz in an email. “HIPAA only applies to certain types of facilities and their contractors, and Part 2 only applies to certain types of addiction treatment programs and facilities that receive records of those treatment programs.”
Ultimately, the researchers hope that their results will lead app developers to scrutinize their work more carefully while keeping virtual care available to patients who need it.
“These apps have a very important purpose for a lot of people who are very vulnerable,” said O’Brien. “I hope this has a positive net effect.”
If you are in the United States and need assistance, please call the free and confidential treatment recommendation line (1-800-662-HELP) or visit findtreatment.gov
Photo credit: Zhuyufang, Getty Images