Most health apps share data with third, fourth parties, BMJ analysis warns

Dive Brief:

Lack of transparency and regulation around data sharing practices of health-related apps is putting users' privacy at considerable risk, a new analysis in BMJ warns.
The researchers looked at 24 top-rated, interactive apps for Android mobile devices pertaining to medical information, dispensing, administration, prescribing or use. Of those, 79% shared user data with third parties, which then shared it with "fourth parties."
"Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent," the authors say.

Dive Insight:

More people are turning to digital devices to help them monitor and maintain their health. In a Rock Health survey, 90% of respondents reported using at least one digital health tool in 2017, up from 80% the previous year. Roughly 80% said they used them for health information, while a fourth used them for tracking vital signs or a condition.

At the same time, consumers are worried about security and errors in online data and medical records.

In 2017, the mHealth app collaborative Xcertia released a batch of industry-developed draft guidance documents aimed at clarifying questions around operability, privacy, security and content of mobile health apps.

In the BMJ study, 55 different entities owned by 46 parent companies received or processed user data from the 24 sample apps. Of those, a third provided infrastructure-related services while two-thirds performed data collection and analysis, advertising.

"Sharing with infrastructure-related third parties represents additional attack surfaces in terms of cybersecurity," the authors write. "Several companies providing cloud services also offered a full suite of services to developers that included data analytics or app optimisation, which would involve accessing, aggregating, and analysing app user data."

As if that isn't concerning enough, third parties touted the ability to share user data with 216 fourth parties.

Among first and third parties, several companies stood out in their capacity to combine and reidentify user data. Amazon and Google parent Alphabet received the most user data, while Amazon and Microsoft received the greatest variety.

Fourth parties receiving the most diverse and highest volumes of user data were global tech companies like Alphabet, Facebook and Oracle, along with their data sharing partners — which are, in the case of Alphabet, for example, extensive, the study points out.

The authors note that while developers maintain app users' personal identities are not revealed through data sharing, companies involved in infrastructure plus analytics and advertising have the wherewithal to identify users. Given what is at stake, companies should, at the least, provide transparent sharing — as opposed to privacy — policies, they say.

"As big data features increasingly in all aspects of our lives, privacy will become an important social determinant of health, and regulators should reconsider whether sharing user data for purposes unrelated to the use of a health app, for example, is indeed a legitimate business practice," the authors write. "At minimum, users should be able to choose precisely which types of data can be accessed and used by apps (eg, email, location), and to have the option to opt-out for each type of data."

Policymakers should also look at tighter regulation of third parties that commercialize user data or companies that own and operate mobile platforms and app stores, they add.