Health apps share your concerns with advertisers. HIPAA can’t stop it.

From ‘depression’ to ‘HIV’, we found popular health apps sharing potential health issues and user IDs with dozens of advertising companies

(Video: Katty Huertas for The Washington Post)

Digital healthcare has its advantages. Privacy is not one of them.

In a country with millions of uninsured families and a shortage of healthcare professionals, many of us turn to healthcare apps and websites for accessible information or even potential treatment. But when you launch a symptom checker or digital therapy app, you may be unknowingly sharing your concerns with more than the app maker.

Facebook has been caught receive patient information from hospital websites through its tracking tool. Google stores our health-related Internet searches. mental health apps leave the room in their privacy policies to share data with unlisted third parties. According to our survey, users have few protections under the Health Insurance Portability and Accountability Act (HIPAA) when it comes to digital data, and popular health apps share information with a wide range of advertisers.

You scheduled an abortion. The Planned Parenthood website might tell Facebook.

Most of the data shared does not directly identify us. For example, apps can share a string of numbers called an “id” that is tied to our phones rather than our names. Not all recipients of this data are in the advertising industry – some provide analytics showing developers how users move through their apps. And the companies say sharing the pages you visit, like a page titled “depression,” isn’t the same as revealing sensitive health issues.

But privacy experts say sending user IDs with keywords of the content we visit exposes consumers to unnecessary risk. Big data collectors such as brokers or advertising companies could piece together a person’s behavior or concerns using multiple pieces of information or identifiers. This means that “depression” could become an additional data point that helps companies target or profile us.

To give you an idea of ​​the data sharing happening behind the scenes, The Washington Post enlisted several privacy experts and companies, including researchers from DuckDuckGo, which makes a variety of online privacy tools. After their findings were shared with us, we independently verified their claims using a tool called mitmproxy, which allowed us to visualize the content of web traffic.

What we learned is that several popular Android health apps, including Medication Guide, WebMD: Symptom Checker, and Period Calendar Period Tracker, provided advertisers with the information they would need to market to people or groups of consumers according to their health problems.

The Android app, for example, sent data to more than 100 outside entities, including advertising companies, DuckDuckGo said. Terms contained in these data transfers included “herpes”, “HIV”, “adderall” (a drug to treat attention deficit/hyperactivity disorder), “diabetes” and “pregnancy”. These keywords were accompanied by device identifiers, raising questions about privacy and targeting. said it does not transmit any data considered “sensitive personal information” and that its ads are relevant to the content of the page, not the person viewing that page. When The Post pointed out that in one instance, appeared to send an outside company the user’s first and last name — a fake name that DuckDuckGo had used for its testing — it said it never intended for users to enter their names into the “profile”. name” and that it will stop transmitting the contents of this field.

According to DuckDuckGo, among the terms WebMD shared with advertising companies with user IDs were “addiction” and “depression.” WebMD declined to comment.

According to our investigation, Period Calendar shared information, including identifiers, with dozens of outside companies, including advertisers. The developer did not respond to requests for comment.

What happens in the ad agencies themselves is often a mystery. But ID5, an ad tech company that received data from WebMD, said its job is to generate user IDs that help apps make their advertising “more valuable.”

“Our job is to identify customers, not who they are,” said Mathieu Roche, co-founder and CEO of ID5.

Jean-Christophe Peube, executive vice president of adtech company Smart, which has since acquired two other adtech companies and rebranded Equativ, said the data it receives from can be used to classify consumers into ” categories of interest”.

Peube said in a statement shared with The Post that interest-based ad targeting is better for privacy than using technologies like cookies to target individuals. But some consumers may not want their health issues used for advertising.

Knowing you by number or interest group rather than name wouldn’t stop advertisers from targeting people with specific health conditions or conditions, said Pam Dixon, executive director of the nonprofit research group. lucrative World Privacy Forum.

How can we protect our health information

We consent to the privacy practices of these applications when we accept their privacy policies. But few of us have time to skim through the legal jargon, says Andrew Crawford, senior attorney at the Center for Democracy and Technology.

How to Scan a Privacy Policy to Spot Red Flags

“We click quickly and accept ‘okay’ without really considering the potential trade-offs downstream,” he said.

These compromises could take many forms, such as our information landing in the hands of data sellers, employers, insurers, realtors, credit grantors or law enforcement, according to privacy experts.

Even small pieces of information can be combined to infer big things about our lives, says Lee Tien, senior attorney at privacy organization Electronic Frontier Foundation. This information is called proxy data, and more than ten years ago it helped Target understand which of his customers were pregnant by looking at who bought an unscented lotion.

“It’s very, very easy to identify people if you have enough data,” Tien said. “A lot of times companies will say to you, ‘Well, that’s true, but no one has all the data.’ We don’t really know how much data companies have.

Some lawmakers are trying to curb the sharing of health data. California State Assemblywoman Rebecca Bauer-Kahan introduced a bill in February that could redefine “medical information” in state medical privacy law to include data collected by mental health apps. Among other things, it would prohibit apps from using “a consumer-diagnosed or suspected mental health or addiction disorder” for any purpose other than providing care.

The Center for Democracy and Technology, along with the industry group eHealth Initiative, have proposed a voluntary framework to help health apps protect information about their users. It does not limit the definition of “health data” to the services of a professional, nor to a list of protected conditions, but includes all data that could help advertisers know or infer a person’s health problems. . It also calls on companies to publicly and ostensibly promise not to associate “anonymised” data with any person or device – and to require their contractors to promise the same.

Google lets you limit pregnancy and weight loss ads

So what can you do? There are several ways to limit the sharing of health information by apps, such as not linking the app to your Facebook or Google account when logging in. If you’re using an iPhone, select “ask app not to track” when prompted. If you are using Android, reset your Android Ad ID frequently. Strengthen your phone’s privacy settings, whether you’re using an iPhone or Android.

If apps ask for additional data sharing permissions, say no. If you are concerned about the data you have already provided, you can try submitting a data deletion request. Companies aren’t obligated to honor the request unless you live in California due to state privacy law, but some companies say they’ll delete anyone’s data.

Comments are closed.