In today’s digital economy there’s an app for just about everything. One area that’s booming more than most is healthcare. From period and fertility trackers to mental health and mindfulness, there are mobile health (mHealth) applications available to help with almost any condition. In fact, it’s a market already experiencing double-digit growth, and set to be worth an estimated $861 billion by 2030.

But when using these apps, you could be sharing some of the most sensitive data you possess. In fact, the GDPR classifies medical information as “special category” data, meaning it could “create significant risks to the individual’s fundamental rights and freedoms” if disclosed. That’s why regulators mandate organizations provide extra protections for it.

Unfortunately, not all app developers have the best interests of their users in mind, or always know how to protect them. They may skimp on data protection measures, or they may not always make it clear as to how much of your personal information they share with third parties. With that in mind, let’s take a look at the main privacy and security risks of using these apps, and how you can stay safe.

What are the top health app privacy and security risks?

The main risks of using mHealth apps fall into three categories: insufficient data security, excessive data sharing, and poorly worded or deliberately evasive privacy policies.

1. Data security concerns

These often stem from developers failing to follow best practice rules on cybersecurity. They could include:

  • Apps that are no longer supported or don’t receive updates: Vendors may not have a vulnerability disclosure/management program in place, or take little interest in updating their products. Whatever the reason, if software doesn’t receive updates, it means it may be riddled with vulnerabilities which attackers can exploit to steal your data.
  • Insecure protocols: Apps that use insecure communications protocols may expose users to the risk of hackers intercepting their data in transit from the app to the provider’s back-end or cloud servers, where it’s processed.
  • No multi-factor authentication (MFA): Most reputable services today offer MFA as a way to bolster security at the log-in stage. Without it, hackers could obtain your password via phishing or a separate breach (if you reuse passwords across different apps) and log in as if they were you.
  • Poor password management: For example, apps that allow users to keep factory default passwords, or set insecure credentials such as “passw0rd” or “111111.” This leaves the user exposed to credential stuffing and other brute force attempts to crack their accounts.
  • Enterprise security: App companies may also have limited security controls and processes in place in their own data storage environment. This could include poor user awareness training, limited anti-malware and endpoint/network detection, no data encryption, limited access controls, and no vulnerability management or incident response processes in place. These all increase the chances they could suffer a data breach.

2. Excessive data sharing

Users’ health information (PHI) may include highly sensitive details about sexually transmitted diseases, substance addition or other stigmatised conditions. These may be sold or shared to third parties, including advertisers for marketing and targeted ads. Among the examples noted by Mozilla are mHealth providers that:

  • combine information on users with data bought from data brokers, social media sites and other providers to build more complete identity profiles,
  • do not allow users to request deletion of specific data,
  • use inferences made about users when they take sign-up questionnaires which ask revealing questions about sexual orientation, depression, gender identity and more,
  • allow third-party session cookies which identify and track users across other websites to serve relevant ads,
  • allow session recording, which monitors user mouse movements, scrolling and typing.

3. Unclear privacy policies

Some mHealth providers may not be upfront about some of the above privacy practices, using vague language or hiding their activities in the small print of T&Cs. This can give users a false sense of security/privacy.



What the law says

  • GDPR: Europe’s flagship data protection law is pretty unequivocal about organizations handling special category PHI. Developers need to conduct privacy impact assessments, follow the right to erasure and data minimization principles, and take “appropriate technical measures” to ensure “the necessary safeguards” are baked-in, to protect personal data.
  • HIPAA: mHealth apps offered by commercial vendors for use by individuals are not covered by HIPAA, because vendors are not a “covered entity” or “business associate.” However, some are – and require the appropriate administrative, physical and technical safeguards in place, as well as an annual Risk Analysis.
  • CCPA and CMIA: Californian residents have two pieces of legislation protecting their security and privacy in an mHealth context: the Confidentiality of Medical Information Act (CMIA) and the California Consumer Privacy Act (CCPA). These demand a high standard of data protection and explicit consent. However, they only apply to Californians.

Taking steps to protect your privacy

Everyone will have a different risk appetite. Some will find the trade off between personalised services/advertising and privacy one they’re willing to make. Others may not bothered if some medical data is breached or sold to third parties. It’s about finding the right balance. If you are concerned, consider the following:

  • Do your research before downloading. See what other users say and if there are any red flags from trusted reviewers
  • Limit what you share via these apps and assume anything you say may be shared
  • Don’t connect the app to your social media accounts or use them to sign in. This will limit what data can be shared with these companies
  • Don’t give the apps permission to access your device camera, location, etc.
  • Limit ad tracking in your phone’s privacy settings
  • Always use MFA where offered and create strong, unique passwords
  • Keep the app on the latest (most secure) version

Since Roe vs Wade was overturned, the debate over mHealth privacy has taken a worrying turn. Some have raised the alarm that data from period trackers could be used in prosecutions against women seeking to terminate their pregnancies. For a growing number of people looking for privacy-respecting mHealth apps, the stakes couldn’t be higher.