Report: Privacy Concerns With Apps Used For Opioid Addiction Treatment
A new report on smartphone apps used for opioid addiction treatment is raising concerns over patient privacy.
Source: Getty Images
By - A reported released by the ExpressVPN Digital Security Lab on July 7 revealed privacy concerns with ten smart phone apps used in treating opioid addiction.
The lab, in collaboration with the Opioid Policy Institute (OPI) and the Defensive Lab Agency, produced the report.
“All of the contributors agree that the findings include troubling and conspicuous signs of privacy and, potentially, security issues,” the researchers stated in the new report.
Sean O’Brien, Principal Researcher at the Digital Security Lab told HealthITSecurity in an interview that “the team was shocked to see the amount of data that many of these apps collected and made easy for data brokers to scoop up.”
A total of ten Android apps were studied, including Bicycle Health, Boulder Care, Confidant Health, DynamiCare Health, Kaden Health, Loosid, Pear Reset-O, PursueCare, Sober Grid, and Workit Health.
READ MORE: OIG: Medicare Lacks Oversight of Cybersecurity for Medical Devices
Nicholas J. Mercadante, founder and CEO of PursueCare, stated that PursueCare, as noted in the study, does not allow third parties to track user data.
These apps, according to the study, reach approximately 180,000 downloads from the Google Play store and have users in all 50 states.
Users of some of these specific apps should be aware that their location, calendars and other private data are being used.
The apps use of the smartphone's camera and microphone “is notable, with nine out of ten apps requesting permission to access this hardware, but this is not surprising given their core functionality,” the report stated. “Telehealth apps utilize the camera and microphone for treatment and other calls with the service provider.”
“However, the potential for abuse of these permissions in smartphone apps is well-known,” the report continued. “Unwanted access to this hardware can have dire consequences for privacy, and is a consistent worry for consumers. Additionally, core calling, calendaring, and address book functionality is available to many of these apps.”
READ MORE: Data Breach Exposes One Medical Customer Email Addresses
The study noted that all smartphone users are in effect, under constant surveillance by private and public sectors—and have capability of identifying the person carrying the smartphone.
The researchers noted that the amount of data available to these ten apps “raises questions about the privacy and security practices of telehealth apps.”
The patients that use these apps have a “reasonable expectation of privacy based on the notions of disclosure in regard to healthcare data.”
"People with an opioid addiction already face substantial discrimination and stigma," Opioid Policy Institute Director Jonathan J.K. Stoltman, PhD said in an interview with HealthITSecurity. "Redisclosure of this data may further exacerbate this issue, which is precisely why addiction related healthcare data is supposed to be protected to the highest level possible."
Some of that data the apps are using include the smartphone’s camera, microphone, call data, location information, Bluetooth connections, a list of the device’s installed apps, contacts and calendar.
READ MORE: Mississippi’s Coastal Family Health Center Falls Victim To Hacker, PHI Exposed
“Most troubling, however, is the access of unique identifiers by the majority of these telehealth apps and the capability for sharing these identifiers with third parties,” the study noted. “Professionals and healthcare providers in the U.S. are bound by laws, regulations, and ethical duties in this regard, including 42 CFR Part 2 and HIPAA, which outline strong controls over consent and disclosure of patient information related to treatment for addiction.”
The study’s authors go on to state that especially in the age of increased telehealth medicine during the COVID-19 pandemic, the addiction treatment and recovery apps play a central role in the lives of people with an opioid addiction.
“Still - because access to addiction treatment is lifesaving, we're not advocating that these apps be removed from the marketplace; however, we think there needs to be substantial changes to how they are developed and function in the context of addiction treatment and recovery plus better regulatory guide rails to prevent this issue in the future,” Stoltman said in an interview.
Healthcare providers need to be aware of these issues with these apps, which could be putting patients at risk. In addition, the regulators “should be aware that the vacuum of guidance for addiction treatment apps has been filled by a variety of telehealth services,” the study states.
“Through our work, we wish to place emphasis on the importance of patient and end-user privacy, shining a light on growing and prescient concerns within the domain of telehealth opioid addiction treatment and recovery,” the study concludes.
O’Brien, Principal Researcher at the Digital Security Lab, said in the interview that with telehealth being in such demand during this pandemic, apps are part of this “vital resource for people who are struggling with addiction.”
“There's no reason we can't have privacy-respecting, secure services - in fact, some telehealth apps make good choices in that regard,” O’Brien stated. “What apps shouldn't do is trample over the rights of patients, ignore informed consent, or share information with third parties that a brick-and-mortar setting would never allow.”
The lack of privacy is alarming and the study’s collaborator Stoltman said there is no quick fix once data is exposed.
"What’s scary for me is that people who used these services can’t simply change their password to protect their data," the Opioid Policy Institute director said. "Once this data is redisclosed and ‘in the wild,’ patients and providers lose all control of how it will be used to target them in the future. It will also be difficult to tell when that targeting happens, but history suggests that it will be used to further marginalize people with an addiction."
"The ExpressVPN study specifically highlights that PursueCare does not let any third parties track user data," Nicholas J. Mercadante, founder and CEO of PursueCare, stated. "Per the study, we are the only one that did not."
For those in need of help with addiction, visit FindTreatment.gov for resources.
Editor's note: This article has been updated.
