The biggest tech companies have access to your health data

health data sharing
(Image credit: Shutterstock)

Sensitive data collected by popular smartphone health apps isn't being kept confidential and instead gets shared with big tech companies, a study from the British Medical Journal has revealed.

Of the 24 apps used in the study, 19 of them were found to share sensitive data such as blood pressure, Android ID, birthdays, email addresses and precise locations, with the likes of Facebook, Google and Amazon. But permissions for such data sharing were found to be well obfuscated.

28 types of user data were identified as being shared with other companies and their parent companies too and using these data, companies could easily' piece together the true identity of a person based on multiple pieces of confidential data, said the report.

The recipients of the data were far and wide. Data was received by 55 entities and 46 parent companies, included in these were Facebook, Amazon, Google and Oracle - some of the biggest names in tech.

The study warns the data could be passed on to other bodies such as credit agencies, pharmaceutical companies and others for use in targeted advertising.

"The semi-persistent Android ID will uniquely identify a user within the Google universe, which has considerable scope and ability to aggregate highly diverse information about the user," the research team wrote in the BMJ.

Many of the apps examined in the study were free to download and one caveat was that most included explicit mention of their data sharing practises. However, much like how Facebook recently buried incriminating details of plaint text-stored user passwords and Amazon's reluctance to share details of data breaches with those affected, the mention of said practices was buried deep in the fine print of the app's user agreement.

From a legal perspective, there's no evidence of wrongdoing and it's well-known that 'free' apps come at a hidden, give-me-all-your-data price, but it's clear to see that tech companies show little respect for user privacy when it comes to the handling of its users' data from the blatant obfuscation of important information.

"Although it is well known and documented that apps use customers' data as a currency, it is particularly troubling when that data includes sensitive information such as medical records and health metrics, said Lamar Bailey, director of security research and development at Tripwire. "It is paramount that these apps clearly state in their registration process if they plan to divulge their customers' information to third parties, so that subscribers are able to opt out."

The study also identified the possibility of data sharing between fourth parties, which represent companies that are not the app developers, nor the developer's parent company. 237 entities were identified in this fourth party network comprised of various industries including advertising, marketing and telecoms corporations and of these, only three of the entities were in any way affiliated with the health sector.

The BMJ provided us with a list of the apps used in the study and Ada, an app which appears at the number 5 spot on the Google Play medical store, is among the biggest collectors of data but what the developer does with that information is unknown.

"As a digital health company based in Germany, we take data privacy and security extremely seriously and we treat all information shared with us with utmost care," said Ada in a statement. "Ada's users can remain confident no personal or individual medical data is used for commercial gain directly or indirectly."

What we do know is that the 24 apps were all among the top rated and most popular Android apps on the Google Play store under the medical category for the UK, US, Canada and Australia.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.