some Past report This has caused privacy issues in mobile health apps, especially in terms of data shared with third-party advertisers and analytics providers. Even in applications that provide treatment for opioid use disorder, additional privacy protection should be included, the same problem still exists.
One Analysis of 10 addiction treatment and rehabilitation applications It was found that almost everyone was accessing sensitive user data and sharing it with third parties. The report was jointly completed by ExpressVPN’s Digital Security Laboratory, the Opioid Policy Institute, and the National Defense Laboratory Agency.
During the worst of the pandemic, with the closure of face-to-face clinics and the temporary relaxation of telemedicine regulations, more and more patients turned to virtual treatments. ExpressVPN analyzed 10 applications that have been installed 180,000 times. Many of them have also recently raised funds.
The list of applications includes:
- Bicycle health
- Boulder care
- Confidant Health
- Dynamic health
- Jiadian Health
- Pear reset-o
- Pursue care
- Sober grid
- Work health
Although people expect app-based visits to have the same privacy protections as face-to-face clinics, this is often not the case.
For example, 7 out of 10 apps provide Google with the user’s advertising ID. Sean O’Brien, principal researcher at the ExpressVPN Digital Security Lab, said this is a “big problem” because it is a unique identifier.
“The advertising ID has nothing to do with clinical care. This shouldn’t exist,” Jonathan Stottman, director of the Opioid Policy Institute, said in a telephone interview. “If I walk into an addiction treatment clinic and log in and register on the same day, and then they provide all this information to Google, it will be far beyond what any medical institution can do. Patients have reasonable expectations and think this It will not happen.”
Other identifiers are also used, such as requesting access to location data or Bluetooth connections. Seven of these applications request location information, and three of them contain SDK trackers from Facebook Analytics.
Other less obvious requests have privacy implications. Two apps, Bicycle Health and Kaden Health, have access to a list of all installed apps. Kaden is also able to share multiple types of information with payment provider Stripe, including the user’s location, IP address, and phone number.
Loosid Health is a sober app that claims to have 100,000 users and can access phone numbers, carriers, locations, and IP addresses.
Kaden Health and Loosid Health did not respond to requests for comment when they were released.
Some of these instances may be the result of embedding third-party code without reviewing what information is actually shared.
“I don’t want to blame the developer’s malice on some. The choices they made from the perspective of software construction, or the contractors they hired to build applications, they made these choices, so their data is at risk In,” O’Brien said. “Why is there a problem in this situation: This is very private and very sensitive information, which is not usually shared in a clinical setting.”
It is also worth noting that there are some exceptions. According to reports, PursueCare did not share any known personal information with third parties. Pear Therapeutics’ Reset-O application is indeed able to access the user’s phone number and carrier, but does not request any other permissions.
Although these patients should be protected by federal privacy laws, just like other health apps, there are some ambiguities. In addition to HIPAA, any information related to the treatment of substance use disorders shall be subject to additional confidentiality protection under 42 CFR Part 2. Under these two health laws, the patient’s advertising ID will be treated as protected health information, according to senior healthcare expert Jacqueline Seitz. Full-time health and privacy lawyer at the Legal Action Center.
“On the contrary, the problem is to first figure out whether these laws apply to information,” Setz wrote in an email. “HIPAA only applies to certain types of entities and their contractors, and Part 2 only applies to certain types of addiction treatment plans and entities that receive records from these treatment plans.”
Ultimately, the researchers hope that their results will guide app developers to review their work more carefully while still providing virtual care to patients in need.
“These applications have very important uses for many very vulnerable people,” O’Brien said. “I hope this will have a positive impact.”
If you need help in the United States, please call the free and confidential treatment referral hotline (1-800-662-HELP) or visit findtreatment.gov
Photo Credit: Zhu Yufang, Getty Images