Healthcare Information Security

Mobile News

Weighing the privacy risks of mobile health and fitness apps

By Patrick Ouellette

- Privacy Rights Clearinghouse took a long look last week at the privacy and security risks associated with mobile health and fitness apps instead of the usual focus on medical applications. Despite being sometimes free and often beneficial to their overall health, attorney Linda Ackerman and Privacy Rights Clearinghouse found in the “Mobile Health and Fitness Applications and Information Privacy” study that there are more privacy risks that patients probably realize.

The company came to this conclusion after analyzing 43 popular health and fitness apps, both free and paid, that don’t go into enough detail for customers on their privacy policies. Half of the 43 apps were on Apple’s iOS and half were on Google’s Android, choosing some of each type by a different selection process. Privacy Rights Clearinghouse chose free apps that appeared to be medical or health-related based what it heard from the media. It looked for categories such as behavioral health, health and fitness, diet, pregnancy and “stop smoking” in the Apple App Store and Google Play stores. Paid apps were chosen based on what Google Play and the Apple App Store listed as their top 200 paid apps in the health and fitness category.

There 23 free and 20 paid apps, but Privacy Rights Clearinghouse did not name specific applications or developers because it is not a seal or certification authority and as a policy does not endorse or criticize specific products or companies. After testing applications on four different mobile devices, two tablets and two smartphones, it did not notice any particular differences between the different types of devices or the operating system platforms in how the apps worked or what the privacy risks were.

The company used more than 150 different criteria or data points and some were subjective (quality of privacy policy, privacy risk of using the app) and others were objective (permissions required to install the app, user access to data, and user control options). Privacy Rights Clearinghouse combined “consumer-level analysis of privacy and data practices based on using the applications” with what the apps were actually doing with the personal and non-individually identifiable data they collect. In doing so, it could figure out how well that correlates to what their privacy policies say they’re doing with the data.

These were some results that Privacy Rights Clearinghouse didn’t see coming:

- 74% of the free apps and 60% of the paid apps we reviewed had a privacy policy either in the app or on the developer’s website. In other words, 26% of the free apps and a shocking 40% of the paid apps had no privacy policy at all.

- Only 43% of free apps and 25% of the paid apps provided any kind of link from within the app to a privacy policy on the developer’s website – the rest required the users to search for any relevant privacy policies themselves.

- 39% of the free apps and 30% of the paid apps sent data to someone not disclosed by the developer either in the app or in any privacy policy we found.

- Only 13% of free apps and 10% of paid apps encrypted all data connections and transmission between the app and the developer’s website(s).

And only 43 percent of free apps provided a link to a website privacy policy. The risk for patients and consumers using these apps would be that either the app developers themselves or third-party companies would mine their data. Here were some key findings:

- Many apps send data in the clear – unencrypted — without user knowledge.

- Many apps connect to several third-party sites without user knowledge.

- Unencrypted connections potentially expose sensitive and embarrassing data to everyone on a network.

- Nearly three-fourths, or 72%, of the apps we assessed presented medium (32%) to high (40%) risk regarding personal privacy.

- The apps which presented the lowest privacy risk to users were paid apps.  This is primarily due to the fact that they don’t rely solely on advertising to make money, which means the data is less likely to be available to other parties.

The company concluded that, from a privacy perspective, mobile health and fitness applications do not do a great job protecting users’ privacy:

Consumers who have no hesitation about sharing personal information will probably find value in sharing the details of their pregnancies by linking their app with Facebook, participating in app-based chat groups and posting photographs of themselves as their pregnancies progress. Others will find that socializing their diet or exercise regimes provides support or competition that helps motivate them.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...