The struggle to make health apps truly private

Jonathan J.K. Stoltman already knew how hard it can be for people with addiction to find the right treatment. As director of the Opioid Policy Institute, he also knew how much worse the pandemic made it: A family member had died of an opioid overdose last November after what Stoltman describes as an “enormous effort” to find them care. So Stoltman was hopeful that technology could improve patient access to treatment programs through things like addiction treatment and recovery apps.

But then he consulted last year with a company that makes an app for people with substance use disorders, where he says he was told that apps commonly collected data and tracked their users. He worried that they weren’t protecting privacy as well as they should, considering who they were built to help.

“I left after expressing concerns about patient privacy and quality care,” Stoltman told Recode. “I’m a tech optimist at heart, but I also know that with that widespread reach they can have widespread harms. People with an addiction already face substantial discrimination and stigma.”

So Stoltman reached out to Sean O’Brien, principal researcher at ExpressVPN’s Digital Security Lab, last March, asking if his team could analyze some apps and see if Stoltman’s concerns were founded. O’Brien, who has extensively studied app trackers, was happy to help.

“I had a responsibility to find out what data [the apps] collected and who they might be sharing it with,” O’Brien told Recode.

The results are in a new report that examined the data collection practices in a number of apps for opioid addiction and recovery. The research, which was conducted by ExpressVPN’s Digital Security Lab in partnership with the Opioid Policy Institute and the Defensive Lab Agency, found that nearly all of the apps gave third parties, including Facebook and Google, access to user data. O’Brien said he didn’t think anyone on his team “expected to find so much sloppy handling of sensitive data.”

shortcomings of health privacy laws when it comes to protecting patient data.

There are a lot of gray areas surrounding what those laws are supposed to cover. And in general, apps are built to constantly (and, often, furtively) exchange user data with several other parties and services, some of which use that data for their own purposes.

How apps give away your data …

The ExpressVPN report looked at 10 Android apps, many of which provide medication-assisted treatments, or drugs that reduce cravings and ease withdrawal symptoms, via telehealth.

Those apps have become more widely used in the past year and a half, as they’ve expanded their coverage areas and raised millions in venture capital funds. They’ve also benefited from a temporary waiver of a rule that requires first-time patients to have an in-person evaluation before a doctor can prescribe Suboxone, which alleviates opioid withdrawal symptoms. Unless and until that rule is restored, an entire treatment program can be done through an app. That might lower the barriers to access for some people, especially if they don’t live close to a treatment provider, but the report found that it may also expose their data to third parties the apps use to provide certain services through, among other things, software development kits, or SDKs.

SDKs are tools made by third parties that app developers can use to add functions to their apps that they can’t or don’t want to build themselves. A telehealth app might use Zoom to provide videoconferencing, for example. But these SDKs must communicate with their provider to work, which means apps are sending some data about their users to a third party. How much and what type of data is exchanged depends on what the SDK needs and whatever restrictions the developer has placed, or is able to place, on it.

like advertising IDs, which are unique to devices and can be used to track users across apps — indicated to researchers that they are collecting data beyond what the app or the SDK needs to function. And patients might not be comfortable about which vendors have access to their data without their knowledge. Facebook, Google, and Zoom, for instance, have all had their share of very public privacy issues, while most people probably have no idea what AppsFlyer, Branch, or OneSignal are or what they do (analytics and marketing, basically).

ExpressVPN also found that Kaden Health, which provides medication-assisted therapy and counseling services, gave the payment processor Stripe access to several identifiers and information, including a list of installed apps on a user’s device and their location, IP address, unique device and SIM card IDs, phone number, and mobile carrier name. Kaden also gave Facebook location access and gave Google access to the device’s advertising ID, according to the report. Kaden did not respond to a request for comment, but its privacy policy says “we also work with third parties to serve ads to you as part of customized campaigns on third-party platforms (such as Facebook and Instagram).”

This worries patient advocates who see the potential of these apps and how they remove barriers to access for some patients, but are concerned about the cost to patient privacy if these practices continue.

“Many people agree that addiction treatment needs to advance with the science,” Stoltman said. “I think you’d be hard-pressed to find people that think the problem is ‘we don’t give enough patient data to Facebook and Google.’ … Patients shouldn’t have to trade over their privacy to benefit corporate interests for access to lifesaving treatment.”

Yet many people do just that, and not just when it comes to opioid addiction and recovery apps. The report also speaks to a larger issue with the health app industry. Apps are built on technology that is designed to collect and share as much information about their users as possible. The app economy is based on tracking app users and making inferences about their behavior to target ads to them. The fact that we often take our devices with us everywhere and do so many things on them means we give a lot of information away. We usually don’t know how we’re being tracked, who our information is being shared with, or how it’s being used. Even the app developers themselves don’t always know where the information their apps collect is going.

A 2015 survey found that nearly 60 percent of respondents had at least one health app on their mobile devices. And that was six years ago and before the pandemic, when health and wellness app use ballooned.

Silicon Valley clearly sees the potential of health apps. Big tech companies like Amazon and Google are continuing to invest in health care as more services move online, which leads to more questions about how these companies, some of which aren’t known for having great privacy protections, will handle the sensitive data they get access to. Recognizing their growth and how and why consumers use these apps, the Federal Trade Commission (FTC) even released a mobile health app-specific guide to privacy and security best practices in April 2016.

Five years later, it doesn’t appear that many health apps are following them. A recent study of more than 20,000 Android health and medical apps published in the British Medical Journal found that the vast majority of them could access and share personal data, and they often weren’t transparent with users about their privacy practices or simply didn’t follow them — if they had privacy policies at all. There have been reports that mental health apps share user data with third parties, including Facebook and Google. GoodRx, an app that helps people find cheaper prices for prescription drugs, was caught sending user data to Facebook, Google, and marketing companies in 2019. The menstrual tracker Flo has become a case study in health privacy violations for telling users that their health data wouldn’t be shared and then sending that data to Facebook, Google, and other marketing services. Flo reached a settlement with the FTC over those allegations last month and has admitted no wrongdoing.

Meanwhile, the Department of Health and Human Services waived certain privacy rules for telehealth for the duration of the pandemic to make more services available quickly when people were suddenly cut off from in-person care. That doesn’t apply to most of these apps, which, while classified as “health” apps, aren’t covered by medical privacy laws at all. Flo, for instance, got in trouble with the FTC over the deceptive wording of its privacy policy, which amounts to a consumer protection matter, not a health privacy one. But many of the opioid addiction recovery and treatment apps ExpressVPN looked at should be covered by the strictest medical records privacy laws in the country — both the Health Information Portability and Accountability Act (HIPAA) and 42 CFR Part 2, which specifically regulates substance use disorder patient records.

Part 2 was created to ensure the confidentiality of patient records in substance use disorder programs that receive federal assistance (which all but one of the apps ExpressVPN looked at do, though Part 2 doesn’t apply to all of the services they offer). The rule is written to ensure patients wouldn’t be discouraged from seeking treatment. Accordingly, Part 2 is more restrictive than HIPAA in terms of who has access to a patient’s records and why, and says that any identifying information about a patient (or de-identified data that can be combined with other sources to re-identify a patient) can only be shared with that patient’s written consent. There may also be state laws that further restrict or regulate patient record confidentiality.

SAMHSA’s treatment locator or by phone at 1-800-662-4357.