Menu Close

Numerous Health Apps Lacking Data Protections Around Sensitive User Information, New Investigation Finds

IDAC Investigations Logo

Boston, MA – Many popular health apps that utilize sensitive personal information fail to meet basic best security practices, according to a new investigation from the International Digital Accountability Council (IDAC). 

The report identifies that, while most health apps are observing the letter of the law and platform terms that they are required to follow, many widely used apps available on Google Play Store fail to meet basic data protection practices and some popular apps violate Google Play Store policies. 

“People upload very personal information into these apps — information that is often intimate and private,” IDAC President Quentin Palfrey said.  “Health app users deserve the highest level of privacy possible, but there is a mismatch between the analog-era consumer protections in place, and how health apps are treating this sensitive information.

The IDAC investigation, conducted with support from The Rose Foundation, identified that some popular apps are sending unencrypted user data, have inadequate or missing privacy policies, or collect granular information about user location without adequate explanation. 

Additionally, several apps appear to transmit user data to endpoints in countries such as Russia and China with weak data protection laws and poor human rights records. The majority of apps investigated have questionable practices and disclosures around third-party data sharing, and in particular, sharing with advertising companies.

“We simply cannot allow app developers to slide backward into behavior that, intentional or not, puts consumer trust in the apps at risk,” said Palfrey. “Now is the time to double down on watchdog reviews of these apps and policing by regulators, platforms and developers themselves to ensure that digital privacy health is treated like a public health priority.”  

Even when health apps closely follow existing privacy requirements, most users have little awareness of how their data is collected and shared, the IDAC report noted. Disclaimers about the types of data being shared and who receives sensitive information are often buried in lengthy, convoluted and legalistic documents that users often skim over to sign. This creates a scenario where users technically consent to having their personal data collected and shared, yet are unaware of how their data is shared and with whom. 

“More people than ever are using digital health apps, so users need to be aware that private — and potentially sensitive — information is being collected on these platforms and shared with third-parties,” Palfrey said. “App developers have a responsibility to respect consumer privacy by making their data practices more transparent.”

The IDAC team completed this review with support from technologists at Good Research and App Census.