An in-depth analysis of more than 20,000 health-related mobile applications (mHealth apps) published by The BMJ today finds “serious problems with privacy and inconsistent privacy practices.”

The researchers say the collection of personal user information is “a pervasive practice” and that patients “should be informed on the privacy practices of these apps and the associated privacy risks before installation and use.”

Of the 2.8 million apps on Google Play and the 1.96 million apps on Apple Store, an estimated 99,366 belong to the medical and health and fitness categories (known collectively as mobile health or mHealth apps).

They include the management of health conditions and symptom checking to step and calorie counters and menstruation trackers and often contain sensitive health information.

App developers routinely, and legally, share user data, but inadequate privacy disclosures have been repeatedly found for many mHealth apps, preventing users from making informed choices around the data.

To explore this further, researchers at Macquarie University in Australia identified more than 15,000 free mHealth apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps.

They found that while mHealth apps collected fewer user data than other types of mobile apps, 88% could access and potentially share personal data.

For example, about two thirds could collect advert identifiers or cookies, one third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s geolocation.

Only 4% of mHealth apps actually transmitted data (mostly user’s name and location information). However, the researchers say this percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps.

What’s more, 87.5% of data collection operations and 56% of user data transmissions were on behalf of third party services, such as external advertisers, analytics, and tracking providers, and 23% of user data transmissions occurred on insecure communication channels.

The top 50 third parties were responsible for most (68%) of the data collection operations, which most commonly were a small number of tech corporations, including Google, Facebook, and Yahoo!

The researchers also found that 28% (5,903) of the mHealth apps did not offer any privacy policy text, and at least 25% (15,480) of user data transmissions violated what was stated in the privacy policies. Yet only 1.3% (3,609) of user reviews raised concerns about privacy.

These are observational findings and the researchers point to some limitations. For instance, some parts of the apps might not have been triggered during testing, and restricting the analysis to free apps might have introduced bias. 

However, they say their study presents a broad assessment of mHealth apps compared with previous studies, and they conclude: “This analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps. Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps.”

They point out that consumers can make it more difficult to be tracked by disabling advert identifiers, adjusting app permissions, and using advert blockers, but say “we must also advocate for greater scrutiny, regulation, and accountability on the part of key players behind the scenes - the app stores, digital advertisers, and data brokers - to address whether these data should exist and how they should be used, and to ensure accountability for harms that arise.”