Health App Privacy Risks Revealed by New Study

A new study published by BMC Medicine has revealed numerous health app privacy risks, with 66% of accredited apps under test found not to employ data encryption, potentially allowing the personal data of users to be intercepted by cybercriminals.

The study, unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment, set out to explore whether health and wellness apps offered an adequate level of security, following reports that poor information privacy practices were employed by health app developers.

The researchers noted that medical app accreditation programs do offer a means of assessing the quality of mobile health apps, but in many cases they fall short of assessing, or controlling, health app privacy risks. The study sought to assess whether certified health and wellness apps actually had the necessary privacy and security controls required by the UK’s largest accreditation program: The NHS Health Apps Library.

Privacy of UK Mobile Health App Users Being Placed at Risk

The results of the study are worrisome. The researchers discovered that 89% of the apps under test transmitted data to the cloud, yet 66% did not encrypt transmitted data. Perhaps most alarming of all, 20% of the apps that were tested did not even have a privacy policy in place, preventing users of the apps from finding out that their privacy was potentially at risk by using the applications.

The researchers also discovered that when privacy policies were in place (67% of apps had a privacy policy of sorts), 78% of the health apps that transmitted data did not adequately describe the nature of personal information that was transmitted.

In the majority of cases, the data transmitted would not allow the individual using the app to be identified – should data be intercepted – but 4 out of the 79 apps under test did transmit unencrypted personally identifiable information (PII) with data recorded by the apps. In two cases, the researchers discovered apps also contained security issues that potentially allowed the transmitted data to be intercepted.

Since these apps had already been accredited, and had the seal of approval of the UK’s NHS, users of the apps would be likely to consider them safe. In some instances, that was certainly not the case.

The researchers concluded that the accrediting organizations should, at the very least, provide “consistent and reliable warnings about possible threats and, ideally, require publishers to rectify vulnerabilities before apps are released.”

The study can be found on the following link.

Mobile Health Apps Can Offer Considerable Patient Health Benefits

Mobile apps have considerable potential to help healthcare providers cut back on the cost of healthcare provision, while offering patients many valuable benefits. Recent research conducted in Australia has shown that physician-patient text messages can have a positive effect on patient health, and medical apps can similarly help healthcare providers engage patients and get them to take charge of their own health and wellbeing.

In the United States, the popularity of health monitoring apps for mobile devices has skyrocketed over the past few years. Kantar Media’s MARS OTC/DTC Study from 2013 showed that 55.7 million Americans were using diet and fitness apps in 2013 which represents 32% of U.S. mobile phone owners. Other consumer studies have shown that a third of physicians in the United States have recommended a health and fitness app to some of their patients (2013).

While the apps have many useful benefits, health app privacy risks should not be ignored. They may be placing the privacy of patients at risk.  Unless those privacy risks are addressed, it is only a matter of time before the apps will cause a privacy breach.

OCR Takes Action to Address Health App Privacy Risks

The timing of the study is particularly apt, with the Department of Health and Human Services’ Office for Civil Rights having recently launched a new internet portal aimed at application developers. The new portal offers mobile application developers an opportunity to ask questions – and get answers – on HIPAA regulations covering data privacy and security, while also giving the OCR some valuable insights into aspects of privacy and security regulations that mobile app developers need assistance with.

One of the main aims of the new portal is to help the OCR develop new guidance for application developers to ensure they incorporate the appropriate safeguards in their applications to allow healthcare providers to use them with confidence; without risking violations of patient privacy and HIPAA Rules.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of