Health apps harbour significant privacy risk

data security

The rising popularity in the use of health apps could be undermining the confidential nature of our medical details and conditions, experts have said.

A survey conducted by BMJ put 24 health apps under the microscope to find that 19 of those chosen relayed user data with companies and heavyweight data giants such as Facebook, Amazon and Google.

Researchers in charge of the study concluded that the details could be passed on once more to more diverse organisations such as credit agencies. Alternatively, the information could be used in targeted ad campaigns, the experts warned.

Perhaps more worryingly, it was found that the data was shared in spite of developer claims to the contrary, with apps often saying that personally identifiable information (PII) was not collected – a measure that is in direct contradiction with the GDPR.

Using such health apps, the study said that account holders could be easily identified, should an attempt be made to put together individual user data according to the unique addresses of each handset.

Dr Quinn Grundy of the Lawrence S. Bloomberg Faculty of Nursing at the University of Toronto, wrote:

“The semi-persistent Android ID will uniquely identify a user within the Google universe, which has considerable scope and ability to aggregate highly diverse information about the user.”

“These apps claim to offer tailored and cost-effective health promotion – but they pose unprecedented risk to consumers’ privacy given their ability to collect user data, including sensitive information, he continued.”

On the back of the study, the authors have advised doctors to warn patients about the threat such apps may pose to their privacy.

Regulators have been urged to look at the behaviour of such technologies and consider the unfair costs related to exposure of data that users often take for granted as confidential.

Speaking to the BBC news website, Prof Alan Woodward from the University of Surrey, said:

“Users still have little understanding of how the data they entrust to these apps is being shared.”


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.