Health apps share your concerns with advertisers. HIPAA cannot stop it.

From “depression” to “HIV”, we have found popular health apps that share potential health problems and user identifiers with dozens of advertising companies

(Video: Katty Huertas for the Washington Post)

Digital health care has its advantages. Privacy is not one of them.

In a nation with millions of uninsured families and a shortage of healthcare professionals, many of us are turning to healthcare apps and websites for accessible information or even potential treatment. But when you launch a symptom check or digital therapy app, you may unknowingly share your concerns with more than just the app maker.

Facebook was surprised to receive patient information from hospital websites via its location tool. Google stores our health-related Internet searches. Mental health apps leave room in their privacy policies to share data with unlisted third parties. According to our survey, users have few protections under the Health Insurance Portability and Accountability Act (HIPAA) when it comes to digital data, and popular health apps share information with a large collection of advertisers.

You planned an abortion. Planned Parenthood’s website may tell Facebook.

Most shared data does not directly identify us. For example, apps can share a string of numbers called “identifier” linked to our phones instead of our names. Not all recipients of this data are in the advertising industry – some provide analytics that show developers how users navigate their apps. And companies argue that sharing the pages you visit, such as a page titled “depression,” isn’t the same as disclosing sensitive health issues.

But privacy experts say that sending user identifiers along with keywords from the content we visit opens consumers up for unnecessary risks. Big data collectors such as brokers or advertising companies could piece together someone’s behavior or concerns by using multiple information or identifiers. This means that “depression” could become an extra data point that helps companies target or profile us.

To give you an idea of ​​the data sharing that happens behind the scenes, The Washington Post enlisted the help of several privacy experts and companies, including researchers from DuckDuckGo, which produces a variety of online privacy tools. After their findings were shared with us, we independently verified their claims using a tool called mitmproxy, which allowed us to view web traffic content.

What we learned is that several popular Android health apps, including Medication Guide, WebMD: Symptom Checker, and Period Calendar Period Tracker, have provided advertisers with the information they would need to market individuals or consumer groups in based on their health problems.

The app for Android, for example, sent data to more than 100 external entities, including advertising companies, DuckDuckGo said. Terms within these data transfers included “herpes”, “HIV”, “adderall” (a drug to treat attention deficit / hyperactivity disorder), “diabetes” and “pregnancy”. These keywords have been paired with device identifiers, which raise questions about privacy and targeting. stated that it is not transmitting any data that contains “sensitive personal information” and that its ads are relevant to the content of the page, not to the individual viewing that page. When The Post pointed out that in one case appeared to send the user’s first and last name – a fake name used by DuckDuckGo for its tests – to an outside company, it claimed that it never intended users to enter their own. names in the “profile name” and it will stop broadcasting the content of that field.

Among the terms WebMD shared with advertising companies along with user identifiers were “addiction” and “depression,” according to DuckDuckGo. WebMD declined to comment.

Period Calendar has shared information, including identifiers, with dozens of outside companies, including advertisers, according to our survey. The developer did not respond to requests for comment.

What happens to the advertising companies themselves is often a mystery. But ID5, an adtech company that has received data from WebMD, said its job is to generate user IDs that help apps make their advertising “more valuable.”

“Our job is to identify customers, not to know who they are,” said ID5 co-founder and CEO Mathieu Roche.

Jean-Christophe Peube, executive vice president of adtech Smart, which has since acquired two other adtech companies and renamed to Equativ, said the data he receives from can be used to put consumers into “categories of interest” .

Peube said in a statement shared with The Post that interest-based ad targeting is better for privacy than using technologies like cookies to target people. But some consumers may not want their health problems to be used for advertising.

Getting to know you via an interest number or group rather than a name would not prevent advertisers from targeting people with particular health problems or conditions, said Pam Dixon, executive director of the non-profit research group World Privacy Forum.

How we can protect our health information

We consent to the privacy practices of these apps when we accept their privacy policies. But few of us have time to go through legalese, says Andrew Crawford, a legal counsel at the Center for Democracy and Technology.

How to browse a privacy policy to spot red flags

“We click quickly and accept ‘I agree’ without really contemplating the potential compromises downstream,” he said.

These compromises could take some forms, such as our information ending up in the hands of data sellers, employers, insurers, real estate agents, lenders or law enforcement, privacy experts say.

Even small bits of information can be combined to infer big things about our lives, says Lee Tien, a senior staff attorney at the Electronic Frontier Foundation privacy organization. Those tidbits are called proxy data, and more than a decade ago they helped figure out which of her clients were pregnant by looking at who bought an unscented lotion.

“It’s very, very easy to identify people if you have enough data,” Tien said. “Many times companies tell you, ‘Well that’s true, but nobody has any data.’ In reality we don’t know how much data the companies have. “

Some lawmakers are trying to curb the sharing of health data. California State Assembly Member Rebecca Bauer-Kahan unveiled a bill in February that could redefine “medical information” in the state’s medical privacy law to include data collected by mental health apps. Among other things, this would prohibit apps from using “a consumer’s inferred or diagnosed mental health or substance use disorder” for purposes other than assistance.

The Center for Democracy and Technology, along with the eHealth Initiative industry group, has proposed a voluntary framework to help health apps protect information about their users. It does not limit the definition of “health data” to the services of a professional, or to a list of protected conditions, but it does include any data that could help advertisers know or infer a person’s health problems. It also asks companies to publicly and openly promise not to associate “unidentified” data with any person or device and to request the same from their contractors.

Google allows you to restrict pregnancy and weight loss ads

What can you do? There are a few ways to restrict the sharing of information health apps, such as not linking the app to your Facebook or Google account while signing in. If you are using an iPhone, select “Ask app not to track” when prompted. If you are on Android, reset your Android Ad ID frequently. Strengthen your phone’s privacy settings, regardless of whether you’re using an iPhone or Android.

If apps require additional permissions for data sharing, say no. If you are concerned about the data you have already provided, you can try submitting a data deletion request. Companies are not required to honor the request unless you live in California due to the state’s privacy law, but some companies say they will erase the data for anyone.