Mobile Health Apps: Is Your PII Private?

In early 2020, when COVID-19 cases were on the rise in the US, we witnessed a massive shift in how we live our daily lives. With hopes to limit the transition of COVID-19, many densely populated cities such as New York City, Los Angles, and others led the front in leaving the office to work remotely, curbing the attendance of large gatherings and sporting events and began to utilize more and more remote services. And at this time, many may not have realized it, but the industry of telehealth, which was already gaining increasing market adoption skyrocketed into popularity.

Reports from the CDC show that in fact, the use of telehealth services increased by 154% during the last week of March 2020 compared to that of 2019. Further, patient sentiment seems to indicate that telehealth services are in high demand. From a report cited in Medical economics, 93% report that they would use telemedicine to manage prescriptions, and 91% say that telemedicine would help them stick to appointments, manage prescriptions and refills, and follow wellness regimens as dictated by their doctor. This shift drove mobile application development to increase drastically leading to services like BetterHelp that remotely pair patients with therapists or MDLIVE that connects patients with medical doctors are taking the healthcare space by storm. So, where’s the cause for concern?

Over the past few weeks, information has surfaced indicating that many mobile health apps may be sharing the personal health information of their clients with third-party services. A report released by ExprewssVPN’s Digital security Lab in partnership with the Opioid Policy Institute and Defensive Lab Agency found that some opioid addiction telehealth apps are breaching privacy agreements and sharing this personal health information.

To identify how pervasive this practice of sharing health information is in these app-based services, these organizations studied the data management practices of 10 popular telehealth apps. The report studied 10 telehealth organizations that specifically cater to opioid treatment. The apps are as follows: Bicycle Health, Sober Grid, Pear Reset-O, Boulder Care, DynamiCare Health, Confidant Health, Kaden Health, Loosid, PursueCare, and Workit Health.

Out of the ten apps that were studied, a total of seven apps were found to use compromising practices in how they access or manage sensitive information of patients. In particular, seven of these apps access a user-generated identifier through their smartphone that gives these organizations access to other personal information the patient may not want to or give permission to share. Further, five of these apps access user phone numbers, and three access the device’s unique IMEI and IMSI number, a unique identifier that can give these companies further personal information. 

How To Keep Your Sensitive Data Private

With examples of sensitive data exploits on the rise, what is an individual to do to keep their personal information safe and out of the hand of third-party services? Luckily, there are many strategies that a person can leverage to limit this practice. Let’s explore a few of these strategies.

Understand Your Rights

First and foremost, it’s critically important to understand the rights you have when interacting with organizations that have access to your sensitive information. Today, there is more and more legislation comping online that favors the data owner and is aiming to ensure the protection of the data owner’s information. Compliance frameworks such as HIPAA, GDPR, CCPA, and others all enforce stringent mandates on how the personal information of the data owner is accessed, managed, and transmitted. 

One great win for the data owner is that cases are beginning to surface where data owners have sued over the mismanagement of personal data, and with the backing of these compliance frameworks designed to protect the data owner, these individuals are winning in court. This, of course, is sending shockwaves through the tech community and making organizations rethink how they are managing, transmitting, or even selling personal data.

Read Privacy Agreements

It’s no fun, but understanding what you’re agreeing to when utilizing a service that may have access to your personal identification is key. Often, organizations depend on users not reading these privacy agreements and well outline in bold terms that they are accessing personal data. In these scenarios, that individual doesn’t have much fighting power if they find down the road that the organization in question was (legally) using their sensitive information.

Our suggestion would be to look around for a competitive service that offers a service agreement that aligns with your preferences as a data owner. Today, many services are coming online that value the importance of keeping client data safe and protected, tailoring their services to the requests of today’s modern data owner.