That nifty new health app you downloaded to your phone to keep track of your meds might be sharing your information with a host of unrelated companies, some of which have nothing to do with healthcare, a new study finds.
The key finding from our study is that health related data is widely shared with companies that have nothing to do with health
When researchers ran two dozen medication apps through their paces using a phony identity, to track what was being done with the data, they found that sharing was routine and far from transparent.
"The key finding from our study is that health related data is widely shared with companies that have nothing to do with health," said study leader Quinn Grundy, an assistant professor in the faculty of nursing at the University of Toronto. "The consumer has no way to know exactly what is happening with their data and what consequences there might be."
"This is a breach of privacy that may not just be embarrassing but could also affect our lives in big ways, just as the credit score does," Grundy said.
Grundy's team tested 24 top-rated publicly available medication apps designed to work on Android phones in the UK, the U.S., Canada and Australia. The interactive apps provided information about medication dispensing, administration or use.
After downloading each app to a smartphone with one of four fictional users, the researchers ran each one 14 times to observe its "normal" network traffic related to 28 types of user data, including Android ID, user's birthday, email, and precise location.
Then they altered one source of user information and ran the app again to detect leaks of sensitive information sent to a remote server outside the app. Companies receiving sensitive user data were then identified by their IP addresses, allowing the researchers to scrutinize their websites and privacy policies.
In all, the data were shared with 55 unique entities owned by 46 parent companies - including developers, parent companies, and service providers, many of which were involved in collecting user data for analytics or advertising. Service providers also advertised the ability to share user data with 216 other entities, or fourth parties, including multinational technology companies, digital advertising companies, telecommunication corporations and a consumer credit reporting agency.
Healthcare privacy experts weren't surprised by the findings.
While health care providers are required to preserve patient privacy, tech companies are not, said John Houston, vice president of privacy and information security and associate counsel at the University of Pittsburgh Medical Center.
A big concern for app users is how their data will be used and by whom, Houston said. "What happens if an employer decides you are at risk for cardiovascular disease and doesn't want to hire you?" he added.
While the risk that personal data could be shared has existed for some time, "we are now at a tipping point," said Jennings Aske, senior vice president and chief security officer at NewYork-Presbyterian Hospital. "We're waking up to the fact that this is not a niche problem anymore. My biggest complaint is that decisions are being made about you based on imperfect data that ultimately can have a negative impact."
Although companies say the data being shared has been anonymized, "it's not that hard to combine data from a number of sources to figure who you are," Aske said. "And ultimately you can strip my name from something but my iPhone Mac address is still there and my cable provider pretty much keeps the same IP address."