Health apps share your concerns with advertisers. HIPAA can’t stop it.

From ‘depression’ to ‘HIV’, we found popular health apps sharing potential health concerns and user IDs with dozens of advertising companies

(Video: Katty Huertas for The Washington Post)

Digital healthcare has its advantages. Privacy is not one of them.

In a nation with millions of uninsured families and a shortage of healthcare professionals, many of us are turning to healthcare apps and websites for affordable information or even potential treatment. But when you launch a symptom checker or digital therapy app, you may unknowingly be sharing your concerns with more than just the app creator.

Facebook was caught getting patient information from hospital websites through its tracking tool. Google stores our health-related internet searches. Mental health apps leave room in their privacy policies to share data with unlisted third parties. Consumers have few protections under the Health Insurance Portability and Accountability Act (HIPAA) when it comes to digital data, and our investigation found that popular health apps share information with a wide range of advertisers.

You planned an abortion. Planned Parenthood’s website can tell Facebook.

Most of the data that is shared does not identify us directly. For example, apps can share a string of numbers called an “identifier” that’s associated with our phones, not our names. Not all recipients of this data are in the advertising business—some provide analytics showing developers how users navigate their apps. And the companies argue that sharing the pages you visit, such as a page titled “depression,” isn’t the same as disclosing sensitive health issues.

But privacy experts say sending user IDs along with keywords from the content we visit puts users at unnecessary risk. Big data collectors, such as brokers or advertising companies, can collect someone’s behavior or concerns using multiple pieces of information or identifiers. This means that “depression” can become yet another data point that helps companies target or profile us.

To give you insight into the data sharing that goes on behind the scenes, The Washington Post enlisted the help of several privacy experts and companies, including researchers at DuckDuckGo, which makes a variety of online privacy tools. After their findings were shared with us, we independently verified their claims using a tool called mitmproxy, which allowed us to see the content of the web traffic.

What we learned is that several popular health apps for Android, including Drugs.com Medication Guide, WebMD: Symptom Checker, and Period Calendar Period Tracker, give advertisers the information they need to market to individuals or groups of users based on their health problems.

The Drugs.com Android app, for example, sent data to more than 100 outside parties, including advertising companies, DuckDuckGo said. Terms in these data transfers include “herpes,” “HIV,” “adderall” (a drug used to treat attention-deficit/hyperactivity disorder), “diabetes,” and “pregnancy.” These keywords come along with device identifiers, raising questions about privacy and targeting.

Drugs.com said it does not transmit any data that is considered “sensitive personal information” and that its ads are relevant to the content of the page, not to the individual viewing that page. When The Post pointed out that in one case Drugs.com appeared to send an outside company a user’s first and last name — a fake name that DuckDuckGo uses for its testing — it said it never intended for users to enter their names into “ profile name” and that it will stop transmitting the contents of this field.

Among the terms WebMD shares with advertising companies, along with user identifiers, are “addiction” and “depression,” according to DuckDuckGo. WebMD declined to comment.

Period Calendar shared information, including identifiers, with dozens of outside companies, including advertisers, according to our investigation. The developer did not respond to requests for comment.

What goes on inside the advertising companies themselves is often a mystery. But ID5, an ad tech company that obtained data from WebMD, said its job is to generate user IDs that help apps make their advertising “more valuable.”

“Our job is to identify customers, not know who they are,” said ID5 co-founder and CEO Matthew Roche.

Jean-Christophe Peube, executive vice president of advertising company Smart, which has since acquired two other ad-tech firms and rebranded as Equativ, said the data it receives from Drugs.com can be used to place users into “categories of interests’.

Peube said in a statement shared with The Post that targeting ads based on interests is better for privacy than using technologies like cookies to target individuals. But some users may not want their health concerns used for advertising at all.

Knowing you by number or interest group rather than name won’t prevent advertisers from targeting people with specific health problems or conditions, said Pam Dixon, executive director of the nonprofit research group World Privacy Forum.

How we can protect our health information

We consent to the privacy practices of these applications when we accept their privacy policies. But few of us have time to wade through the laws, says Andrew Crawford, senior adviser at the Center for Democracy and Technology.

How to review the privacy policy to spot red flags

“We click quickly and accept ‘yes’ without really considering the potential trade-offs down the chain,” he said.

These compromises can take several forms, such as our information falling into the hands of data vendors, employers, insurers, real estate agents, lenders or law enforcement, privacy experts say.

Even small bits of information can be combined to make big inferences about our lives, says Lee Tien, a senior attorney at the privacy organization Electronic Frontier Foundation. These tidbits are called proxy data, and more than a decade ago they helped Target figure out which of its customers were pregnant by looking at who bought unscented lotion.

“It’s very, very easy to identify people if you have enough data,” Tien said. “A lot of times companies will tell you, ‘Well, that’s true, but nobody has all the data.’ We don’t really know how much data companies have.”

Some lawmakers are trying to limit the sharing of health data. California State Assemblywoman Rebecca Bauer-Kahan introduced a bill in February that could redefine “medical information” in the state’s medical privacy law to include data collected from mental health apps. Among other things, it would prohibit apps from using a user’s “presumed or diagnosed mental health or substance use disorder” for purposes other than providing care.

The Center for Democracy and Technology, along with the industry group eHealth Initiative, proposed a voluntary framework to help health apps protect information about their users. It does not limit the definition of “health data” to services by a professional, nor to a list of protected conditions, but includes any data that could help advertisers learn or infer an individual’s health problems. It also calls on companies to publicly and explicitly promise not to link “de-identified” data to any person or device — and to require their contractors to promise the same.

Google lets you limit pregnancy and weight loss ads

So what can you do? There are several ways to limit the information shared by health apps, such as not linking the app to your Facebook or Google account during login. If you’re using an iPhone, choose “ask the app not to track” when prompted. If you use Android, reset your Android Advertising ID frequently. Tighten up your phone’s privacy settings, whether you’re using an iPhone or Android.

If apps ask for additional permissions to share data, say no. If you are concerned about data you have already provided, you can try submitting a data deletion request. Companies are not required to honor the request unless you live in California due to the state’s privacy law, but some companies say they will delete data for anyone.

Leave a Comment

Your email address will not be published.