Data sharing by popular health apps is 'routine,' research finds

Mobile health apps are a booming market targeted at both patients and health professionals. Medicines-related apps help patients track their prescriptions and remember to take their pills. They also provide drug information to help clinicians prescribe and administer medications.

However these apps also pose unprecedented risk to consumers' privacy given their ability to collect user data, including sensitive information that is highly valuable to commercial interests, new research demonstrates.

Published in BMJ, the research team - from the University of Sydney, the University of Toronto and University of California - set out to investigate if and how user data is shared by top rated medicines-related mobile apps. It also sought to characterise privacy risks to app users, both clinicians and consumers.

The researchers found sharing of user data by medicines-related apps is routine but far from transparent, and also identified a small number of commercial entities with the ability to aggregate and potentially re-identify user data.

"Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services," said lead author Assistant Professor Quinn Grundy of the University of Toronto and University of Sydney School of Pharmacy, Charles Perkins Centre.

How data is shared

The research team identified 24 top rated medicines related apps for the Android mobile platform in the United Kingdom, United States, Canada, and Australia. All apps were available to the public; provided information about medicines dispensing, administration, prescribing, or use; and were interactive.

They then ran laboratory-based traffic analysis of each app downloaded onto a smartphone, simulating real world use with four dummy scripts.

Privacy leaks were detected using a technique called Differential Traffic Analysis, explained co-author Dr Ralph Holz from the University of Sydney's School of Computer Science.

"The idea is to capture a baseline of the normal network data that an app causes, and then change privacy-related settings in the app. The places where the new settings turn up in any fresh network data shows us where and to whom the app is leaking it."

Of the sampled apps, most - 19 out of 24 or 79 percent - shared user data outside of the app. A total of 55 unique entities, owned by 46 parent companies, received or processed this data, including developers, parent companies (first parties) and service providers (third parties).

Third parties also advertised the ability to share user data with 216 'fourth parties' including multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency. Only three of these fourth parties could be characterised predominantly as belonging to the health sector.

Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data.

Call for greater regulation and transparency

While it's unclear if iOS apps share user data - and if medicines-related apps share user data more or less than other health apps, or apps in general - the findings remain of concern said Assistant Professor Grundy.

"Most health apps fail to provide privacy assurances or transparency around data sharing practices," she said.

"User data collected from apps providing medicines information or support may also be particularly attractive to cybercriminals or commercial data brokers.

"Health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent.

"Regulators should also emphasise the accountabilities of those who control and process user data, while health app developers should disclose all data sharing practices and allow users to choose precisely what data are shared and where."

Quinn Grundy, Kellia Chiu, Fabian Held, Andrea Continella, Lisa Bero, Ralph Holz.
Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis.
BMJ 2019; 364 doi: 10.1136/bmj.l920.

Most Popular Now

Regorafenib to be tested in brain cancer patients …

Bayer announced that the regorafenib arm of the platform trial "GBM AGILE" (Glioblastoma Adaptive Global Innovative Learning Environment) opened for enrollment in the US ...

Sanofi and Google to develop new healthcare Innova…

Sanofi and Google will establish a new virtual Innovation Lab with the ambition to radically transform how future medicines and health services are delivered by tapping i...

Bristol-Myers Squibb provides update on pending me…

Bristol-Myers Squibb Company (NYSE: BMY) today provided an update on the approval process and timeline for the Company’s pending merger with Celgene Corporation (NASDAQ: ...

Artificial DNA can control release of active ingre…

A drug with three active ingredients that are released in sequence at specific times: Thanks to the work of a team at the Technical University of Munich (TUM), what was o...

LEO Pharma completes the acquisition of Bayer’s pr…

LEO Pharma and Bayer announced today the achievement of the relevant closing conditions to allow the transfer of Bayer’s global prescription dermatology business to LEO P...

Pathogen engineered to self-destruct underlies can…

A team of investigators has developed a cancer vaccine technology using live, attenuated pathogens as vectors. A feature of the vaccine causes these bacteria to self-dest...

Novartis successfully completes acquisition of Xii…

Novartis today announced that it has completed its acquisition of Xiidra® (lifitegrast ophthalmic solution) 5%, the first and only prescription treatment approved to trea...

How gastric stem cells fight bacteria

Stem cells are not only key players in tissue regeneration, they are also capable of taking direct action against bacteria. This is the finding of a study conducted by re...

New study showing drug prolongs life for patients …

Women with ovarian cancer who have undergone four or more rounds of chemotherapy typically haven't had much hope that another treatment option will lengthen their lives i...

Pfizer completes acquisition of Therachon

Pfizer Inc. (NYSE: PFE) announced the successful completion of its acquisition of the privately held clinical-stage biotechnology company Therachon Holding AG. Under the ...

Sports playbook helps doctors predict cancer patie…

In this season of global soccer competitions and hotly contested political primaries, bookies and pundits are scouring every evolving scrap of information and sifting thr...

FDA seeks public feedback on new drug approval tra…

Today the U.S. Food and Drug Administration issued a Federal Register notice, New Drugs Regulatory Program Modernization: Improving Approval Package Documentation, to ope...