This article is more than 5 years old. Information may no longer be current.

Health apps often transmit personal user information without encryption

In the United Kingdom, many accredited mobile health applications did not comply with standard data protection principles, according to recently published data.

“Our study suggests that the privacy of users of accredited apps may have been unnecessarily put at risk, and challenges claims of trustworthiness offered by the current national accreditation scheme being run through the [National Health Service]. The results of the study provide an opportunity for action to address these concerns, and minimize the risk of a future privacy breach,” study co-author, Kit Huckvale, PhD, Global eHealth Unit, Imperial College London, said in a press release. 

To assess the data protection principle compliance of health apps that had been certified through accreditation programs, Huckvale and colleagues assessed 79 apps from the English National Health Service (NHS) Health Apps Library. Assessed apps included those for weight loss, exercise, smoking cessation, alcohol use management and self-management of long term conditions.

Results demonstrated that information was transmitted to online services from 89% of apps.

None of the apps encrypted personal data that was locally stored, and 66% of the apps did not encrypt identifying data when sending information via the Internet.

Both identifying information and health data were transmitted without encryption by four apps.

More than 65% of apps had a privacy policy of some sort, while 20% had no privacy policy at all.

Among apps that transmitted data and had a privacy policy, 78% did not disclose what personal information would be transmitted.

“It is known that apps available through general marketplaces had poor and variable privacy practices, for example, failing to disclosure personal data collected and sent to a third party. However, it was assumed that accredited apps — those that had been badged as trustworthy by organizational programs such as the UK’s NHS Health Apps Library — would be free of such issues,” Huckvale said in the release.

The researchers noted that accreditation programs should inform both patients and providers of possible threats related to health apps, but that preferably, app publishers should resolve any issues that would expose users to threats prior to the apps release.

“Regulators should consider establishing standards for accreditation process, and be ready to intervene if accreditation programs cannot manage risks effectively. If patients or the public are deterred from using apps because of questions of trust, then the potential clinical benefits of mobile health will not be realized,” Huckvale and colleagues concluded.

Disclosures: Huckvale reported co-development of one of the assessed apps. Please see the full study for a list of all authors’ relevant financial disclosures.