Health apps share your concerns with advertisers. HIPAA can’t stop it.

From ‘depression’ to ‘HIV’, we found popular health apps sharing potential health issues and user IDs with dozens of advertising companies

(Video by Kathy Huertas for The Washington Post)

Digital healthcare has its advantages. Privacy is not one of them.

In a country with millions of uninsured families and a shortage of health care providers, many of us are turning to medical apps and websites for affordable information or even potential treatment. But when you launch a symptom checker or digital therapy app, you may unwittingly share your concerns with more than just the app maker.

Facebook was caught getting patient information from hospital websites through its tracking tool. Google stores our health-related searches. Mental health programs leave a place in their privacy policies for sharing data with private third parties. Under the Health Insurance Portability and Accountability Act (HIPAA), users have little protection when it comes to digital data, and popular health apps share information with large numbers of advertisers, according to our research.

You planned an abortion. Planned Parenthood’s website might say Facebook.

Most of the data provided does not directly identify us. For example, apps can share a string of numbers called “identifiers” that are associated with our phones, not our names. Not all recipients of this data are in the advertising business — some provide analytics that show developers how users navigate their apps. And the companies say that reporting what pages you visit, such as a page called “depression,” isn’t the same as disclosing a serious health problem.

But privacy experts say sending user IDs along with keywords from the content we visit exposes consumers to unnecessary risk. Large data collectors, such as brokers or advertising companies, can combine someone’s behavior or concerns using multiple pieces of information or identifiers. This means that “depression” can become another data point that helps companies target or profile us.

To give you a glimpse of the data sharing that goes on behind the scenes, The Washington Post enlisted the help of several privacy experts and companies, including researchers at DuckDuckGo, which makes a variety of online privacy tools. After sharing their findings with us, we independently verified their claims using a tool called mitmproxy, which allowed us to view the content of their web traffic.

We learned that several popular Android health apps, including Drugs.com Medication Guide, WebMD: Symptom Checker, and Period Calendar Period Tracker, provided advertisers with the information they needed to advertise to individuals or groups of consumers based on their health concerns. pit

The Drugs.com Android app, for example, sends data to more than 100 outside organizations, including advertising companies, according to DuckDuckGo. Terms within these transmissions included “herpes,” “HIV,” “adderol” (an attention-deficit/hyperactivity disorder drug), “diabetes,” and “pregnancy.” These keywords appeared alongside device identifiers, raising concerns about privacy and targeting.

Drugs.com said it does not share any data that is considered “sensitive personal information” and that its ads are about the content of the page, not the person viewing the page. When The Post pointed out that in one case, Drugs.com appeared to have sent a user’s first and last name to a third-party company — the fake name DuckDuckGo used for its testing — he said it never intended , for users to enter their names in the “profile”. name” and stop transmitting the contents of this field.

According to DuckDuckGo, among the terms WebMD shared with advertising companies along with user IDs were “addiction” and “depression.” WebMD declined to comment.

According to our investigation, Period Calendar provided information, including identifiers, to dozens of outside companies, including advertisers. The developer did not respond to requests for comment.

What happens in the advertising companies themselves often remains a mystery. But ID5, the ad tech company that obtained the data from WebMD, said its job is to create user IDs that help apps make their ads “more valuable.”

“Our job is to identify customers, not to know who they are,” said ID5 co-founder and CEO Mathieu Roche.

Jean-Christophe Peube, executive vice president of ad tech company Smart, which has since acquired two other ad firms and rebranded as Equativ, said the data it receives from Drugs.com can be used to classify consumers into “ categories of interests”.

Peube said in a statement shared by The Post that interest-based ad targeting is better for privacy than using technologies like cookies to target individuals. But some consumers may not want their health problems used in advertising at all.

Pam Dixon, executive director of the non-profit research group World Privacy Forum, said that being known by a number or interest group rather than a name would not prevent advertisers from targeting people with certain health problems or illnesses.

How we can protect information about our health

We agree to the privacy practices of these applications when we accept their privacy policies. But few of us have time to wade through the laws, says Andrew Crawford, senior adviser at the Center for Democracy and Technology.

How to review privacy policies to spot red flags

“We’re quick to click and accept ‘I agree’ without considering the potential compromises on the bottom line,” he said.

Privacy experts say these compromises can take many forms, such as our information falling into the hands of data vendors, employers, insurers, real estate agents, lenders or law enforcement.

Even small pieces of information can be combined to infer something big about our lives, says Lee Tien, senior associate at the privacy advocacy group Electronic Frontier Foundation. These tidbits are called proxy data, and more than a decade ago they helped Target determine which of its customers were pregnant by looking at who bought unscented lotion.

“It’s very, very easy to identify people if you have enough data,” Tien said. “A lot of times companies will tell you, ‘Well, that’s true, but no one has all the data.’ We don’t really know how much data companies have.”

Some lawmakers are trying to curb the sharing of health data. California State Assemblywoman Rebecca Bauer-Kahan introduced a bill in February that would change the definition of “health information” in the state’s health privacy law to include data collected by mental health apps. Among other things, it prohibits apps from using a user’s “alleged or diagnosed mental health or substance use disorder” for purposes other than providing care.

The Center for Democracy and Technology, along with the industry group eHealth Initiative, have proposed a voluntary framework to help health apps protect information about their users. It does not limit the definition of “health data” to the services of a professional or the list of protected conditions, but includes any data that can help advertisers learn or infer a person’s health problems. It also calls on companies to publicly and prominently promise not to link “de-identified” data to any person or device — and to require their contractors to promise the same.

Google allows you to limit ads about pregnancy and weight loss

So what can you do? There are several ways to limit the sharing of health app information, such as not linking the app to a Facebook or Google account when you sign in. If you’re using an iPhone, choose “ask the app not to track” when prompted. If you’re using Android, reset your Android Advertising ID often. Increase your phone’s privacy settings, whether you’re using iPhone or Android.

If apps ask for additional data sharing permissions, say no. If you’re concerned about data you’ve already provided, you can try submitting a data deletion request. Companies are not required to honor the request unless you live in California because of the state’s privacy law, but some companies say they will delete anyone’s data.

Leave a Comment

Your email address will not be published.