Vital sign sensing concept. Internet of Things. Health tech. Sports tech.

Health apps must protect sensitive data

By Randy Hutchison

President of the BBB of the Mid-South

Health apps that help you count calories, monitor your blood pressure, manage medications, or track other health conditions often collect your most sensitive information. But unlike doctors, they may not be subject to health privacy laws like HIPAA. They may use your information in their research, use it to target you with ads, or disclose or sell it to third parties.

In July, the FTC issued a statement reaffirming its commitment to fully enforce the law against illegal use and sharing of highly sensitive data. It said there’s a behind-the-scenes irony in which highly personal information people may choose not to disclose to family and friends may be shared with complete strangers through a health app.

The FTC says personal health data, as well as information on places users have visited,  may end up in the hands of data aggregators and brokers that collect data from multiple sources and use it to build profiles and draw inferences about consumers. One data broker bragged to its shareholders that it had 3,000 points of data for nearly every consumer in the United States. In a 2014 study, the FTC cited the example of sensitive data being used to categorize a consumer as an “Expectant Parent.”

The FTC’s concerns aren’t purely theoretical. In 2021, it reached a settlement with a company it alleged shared the heath information of users with outside data analytics providers despite promising it would be kept secret. Flo Health markets an ovulation and fertility tracking app used by more than 100 million women that, contrary to what its privacy policy said, conveyed pregnancy-related information to third-party marketing companies. In a February 2019 article, the Wall Street Journal said it intercepted unencrypted identifying health information transmitted by the app to Facebook. The FTC said users of the app felt “outraged,” “victimized” and “violated.”

The FTC says companies that collect sensitive health data should know that it’s protected by numerous federal and state laws and that it won’t tolerate companies that over-collect, indefinitely retain, or misuse data. It also warned about false promises that data would be anonymized or aggregated such that it couldn’t be associated with an individual. Not only are such promises sometimes false, as was the case with Flo Health, but anonymized data can often be re-identified, particularly in the context of location data. Researchers showed that it was possible to uniquely identify 95 percent of 1.5 million people in a dataset using four location points with timestamps.

The FTC and BBB offer these tips to avoid the risk of having sensitive information captured by health apps misused:

  • Look for a privacy notice that explains in simple terms what information the app collects, how it’s used, and if it’s shared with third parties and how they use it.
  • See what control the app’s settings give you over the collection and use of your data. Default settings often encourage sharing.
  • Keep the app and your phone’s operating system up-to-date to include any fixes for privacy or security glitches.
  • Recognize that sharing sensitive information always carries risks it could be misused despite company promises and privacy policies. Are the app’s services worth the risk?
  • Report any concerns you have about a health app not keeping up its end of the bargain to the FTC.