Some apps are sharing your sensitive medical data. Here’s how to protect against it
Health app makers are leaking users’ sensitive medical data – including medical conditions, symptoms, names and emails – according to a cybersecurity expert.
The potential leaks also include details of patients’ pharmacies and medical practitioners.
The data sharing was uncovered by researchers from the University of Sydney, who found that it is rife in the health and medical app sector.
The research, published in the BMJ, analysed a sample of the top-rated health apps on the Android platform in Australia, Britain, US and Canada
Data sharing poses a serious privacy and security risk to users. Dr Ralph Holz, who co-wrote the paper, said developers often over-shared data with third parties, such as Google and Facebook, for future financial gain.
“Often developers don’t know what their future business model is going to be, so they share more data than they need to,” he said.
An online database, populated by Dr Holz and his colleagues, offers a list of the top-rated medical apps analysed in their study. It also has information about a breakdown of each app’s security and privacy processes.
The New Daily took a tour of the interactive tool to learn more about the apps that were exposing users to privacy risks.
Information uploaded to Healthprivacy.info also allows individuals to easily check if a listed app is safe.
How to spot the risks
Of the 26 health-related apps uploaded to the interactive tool, 80 per cent were found to have privacy issues.
On the website’s Apps vs Sources page, individuals can see the type of information that was potentially leaked and if it was over a secure (https) or insecure (http) connection.
Four of the apps – ListMeds Free, Medi Droid Pill Reminder, My PillBox, Med Helper Pro Pill Reminder – were found to have “insecure storage” during the study period. The issues were rectified once the researchers contacted the offending app developers directly.
“Insecure storage is when they use public storage and anyone can access it. It provides the developers with convenience, or it might just be legacy – that’s how they did it when they started out and after that they simply forgot about it,” Dr Holz said.
“Industry practice is to rectify the issue within 90 days, and all apps with insecure storage rectified the issue.”
Only one app (Med Helper Pro Pill Reminder) had enabled an extra layer of security through E2E encryption – when data is encrypted locally before it is sent over the network. This means not even the destination server can access the data.
How do third parties use your data, and what happens if they fall in the wrong hands?
Data collected by health and medical apps could be “particularly attractive to cybercriminals or commercial data brokers”, lead study author Assistant Professor Quinn Grundy said.
“Most health apps fail to provide privacy assurances or transparency around data sharing practices.”
“Health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” Assistant Professor Grundy said.
App users could also risk employment, insurance or education-related discrimination if a detailed account of their health history was made available, the authors warned.
Most of the time, the information was collected and stored for marketing purposes, Dr Holz said.
“They are not really after you, the individual,” he said.
“They are after data that allows them to build meaningful information about groups and that is extremely valuable to these companies for marketing purposes.”
It’s unclear from this study if iOS apps share user data in the same way as Android apps. Nonetheless, the authors said, the findings were still concerning.
“I am sure there are many others once you browse deeper … we’ve just scratched the surface here,” Dr Holz said.
How can you protect yourself against cyber crimes and data sharing?
Dr Holz recommended using an app that requests as little personal information as possible.
“Once the data has been stored, there’s no way of getting it back,” he said.
Ideally, the app allows you to download the product as an anonymous user, without the need for your full name or date or birth, for example. Dr Holz also advised steering clear of apps that require users to create a full profile page to use them.
Finally, people can check if the app is publicly known for exposing users to cybersecurity vulnerabilities through the CVE website. It has more than 100,000 entries with a description of the security issue.