Application security, Privacy

Senators target security, privacy risks of mental health apps, misuse of health data

Share
Lawmakers aim to close security and privacy loopholes when it comes to regulating health apps. Pictured: A smartphone user navigates the Defense Health Agency’s health and wellness app, Air Force MissionFit, at Hanscom Air Force Base, Mass., Feb. 13, 2020. (Lauren Russell/Air Force)

Several senators are probing the privacy and security of health apps, such as Talkspace and BetterHelp, which are accused of “taking advantage of the regulatory gray area in The Health Insurance Portability and Accountability Act to exploit their patients’ data for profit.”

Sens. Ron Wyden, D-Ore., Elizabeth Warren, D-Mass., and Cory Booker, D-N.J., are giving some mental health app developers until July 6 to shed light on their data mining and third-party data sharing practices because of ongoing concerns about the possible misuse of health data.

Patient privacy risks tied to health apps are common, with multiple 2019 reports detailing dubious data sharing practices. In short, the majority of health apps routinely share data with third-party vendors, without providing users transparent notices about the practices.

An April 2019 JAMA report found that 36 of the leading depression and smoking cessation apps in the U.S. and Australia routinely share user data with third parties, but just 12 accurately disclosed the practice within the privacy policy.

Only 69% of the examined apps had a privacy policy for users, and just 88% those with a policy were clear about the use of the data. Even then, just 16 of those apps shared the secondary uses for sharing user data with outside parties. Of the 36 analyzed health apps, the researchers detected data transmission in 33 of the analyzed health apps. 

And nearly “half of the apps (17 of 36) transmitted data to a third-party,” nine of which did so without a privacy policy, five apps failed to disclose this transmission in policy text, and three did so despite “explicitly” stating transmission would not occur,” the researchers wrote at the time.

Congress aims to close privacy, security loopholes in health app regulations

The report prompted a Department of Health and Human Services alert detailing the possible liabilities providers could face when recommending the use of a health app, particularly with privacy and security risks.

Any apps chosen by patients and not tied to or recommended by a provider for their care management fall outside of the scope of HIPAA. Congress has been actively working to close these loopholes over the last six months, and particularly given the ongoing abortion saga. It's latest proposal would ban the sale of health data by health brokers.

The senators’ inquiry aims to shed light on these ongoing concerns, with a keen focus on how mental health apps are collecting, mining and disseminating private user data to third parties, including data brokers and big tech companies.

Wyden’s concerns primarily center on the misuse of consumer data, including “unscrupulous data brokers, especially for the purpose of microtargeting vulnerable populations.” The statement follows accusations that Facebook is scraping hospital data, while other reports claim cancer patients are being targeted with highly suspicious treatment advertisements.

The scathing letter to BetterHelp further details these allegations: “It appears possible that the policies used by your company and similar mental health platforms allow third-party Big Tech firms and data brokers, who have shown remarkably little interest in protecting vulnerable consumers and users, to access and use highly confidential personal and medical information.”

In fact, a February 2020 investigation into BetterHelp revealed the app was sharing analytics with Facebook, including how often the users opened the app and metadata from every message shared on the platform. The practice provided the social media giant with details into how long and where patients were using mental health services.

Another investigation into Talkspace showed employees accusing the company of mining treatment transcripts as if they were just another data resource. Further, the anonymized data from user conversations were “routinely reviewed and mined for insights” by employees, to help Talkspace with research and marketing tactics.

The senators also accuse the companies of sharing anonymized information MixPanel, a research and analytics panel. The practice enable MixPanel to see users' location data, religion, ages, sexual orientation, financial status, and when or where the user had therapy services.

In light of these numerous allegations, the senators are demanding answers from BetterHelp and Talkspace. Their primary questions include: the type of information shared with third parties and the circumstance, a list of companies receiving the data, how shared data is limited, and the financial agreements behind these data mining processes.

From a security standpoint, the app developers must disclose the measures used to anonymize user data, whether the transcripts of provider visits are used by the companies, and whether users are able to delete their personal and health information from the app.

“As telehealth services, especially online mental health platforms, grow in popularity, it’s increasingly important for consumers to understand whether their personal health data is being shared with third-parties,” the Senators wrote.

Similar state and FTC investigations into women’s health apps have led to big settlements over similar practices to those laid out by the Senators. For example, Flo Health settled with the FTC in 2019 to resolve claims that the health app routinely shared data with outside parties for marketing and analytics services, despite telling users their health data would remain private.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.