Study: Addiction Treatment mHealth Apps Aren’t Protecting Patient Data

July 08, 2021 - An analysis of 10 popular mHealth apps for opioid addiction treatment and recovery finds very few safeguards in place for the protection of personal health information.

Conducted by the ExpressVPN Digital Security Lab, with support from the Opioid Policy Institute (OPI) and the Defensive Lab Agency (DLA) and feedback from Yale University and the Legal Action Center (LAC), the study targets a fast-growing and valuable connected health platform for the estimated 23 million people living with addiction. Those numbers are growing, due in part to the pandemic, and the numbers of people succumbing to addiction are soaring as well.

mHealth apps and other telehealth services give those living with addiction an opportunity to access care at any time and place, particularly when they most need assistance, while also giving providers a platform to reach out and help more patients. But as the study points out, they place more emphasis on treatment and less on ensuring privacy and security.

“Though each app may differ in its implementation, the sheer amount of data available to the majority of the apps we studied raises questions about the privacy and security practices of telehealth apps,” the researchers pointed out. “People who use these services have a reasonable expectation of privacy based on the notions of disclosure in regard to healthcare data. We have determined that a high degree of trust is required by these apps, including the use of camera and microphone, call data, location information, Bluetooth connections, and even access to a smartphone’s list of installed apps, contacts, and calendar.”

“Providers should be aware that these services may not be handling patient privacy as a priority and creating risks for patients,” they continued. “Funders should be aware that these issues are a core component of the service and need thorough vetting before funding. Regulators should be aware that the vacuum of guidance for addiction treatment apps has been filled by a variety of telehealth services. These services may not protect patient privacy in accordance with 42 CFR Part 2 and HIPAA and are in need of additional guidance to protect patients and providers who use these services.”

READ MORE: Uncertain Telehealth Laws Keep Substance Abuse Care Providers on Their Toes

The 10 apps analyzed were Bicycle Health, Boulder Care, Confidant Health, DynamiCare Health, Kaden Health, Loosid, Pear Reset-O, PursueCare, Sober Grid and Workit Health. All told, they comprise roughly 180,000 downloads from Google Play, reach consumers in every state and account for about $300 million in funding from investor groups and the government.

The challenge lies in using smartphones that capture unique identifiers of the users, allowing app developers and third parties to gather and possibly even profit off of the information. In healthcare, safeguards should be in place so that those identifiers are shielded, preventing others from seeing confidential health information.

That’s especially important in addiction treatment, where patient privacy is critical and information on one’s health could affect employment, among other things.

According to the study, seven of 10 apps access advertising ID, five access the user’s phone number, eight access other telephonic data such as the carrier, three access the IMEI and IMSI from the cell provider, one accesses the serial number from the cellphone’s SIM card, three access network information and/or the IP address and one accesses the hardware address/MAC address.

In addition, some of the apps access logs of device activity, a list of other apps installed on the device and location data, all of which could be used to track the user.

READ MORE: FORE Grants Target Telehealth, mHealth Use in Addiction Treatment

Beyond that, apps can tap into the ever-growing number of sensors in cellphones through GPS, Bluetooth, cell radio, camera and microphone, gathering more data on the user. And add in software development kits (SDKs), which “execute code and communicate over the internet in ways that may compromise user information.”

“In some cases, SDKs are designed specifically to collect and aggregate data about the behavior, location, or identities of smartphone users,” the study noted. “In other cases, such surveillance is a valuable byproduct of the SDK’s core functionality — an app that provides navigation to a recovery center, for example, may also be tracking a user’s movements throughout the day and sending that data back to the app’s developers and third parties.”

“App developers have decided to include tracker SDKs in apps for a variety of reasons, and we do not categorize all usage of trackers as malicious or condemn the app authors,” researchers added. “Additionally, given the complexity and pace of software development, some developers may not be aware that trackers are in their app or may not know the full implications of bundling such code before publishing.”

As expected, the study drew some pushback from app developers. PursueCare CEO Nicholas Mercadante noted ExpressVPN is a for-profit company with a product tailored to the top[ic of the study, and he emphasized that his mHealth app does not allow third parties to track data.

The researchers conclude that both providers and patients need to be aware of the inherent risks in using mHealth apps, and weigh those risks against the value of virtual care.

“We wish to emphasize the central role that addiction treatment and recovery apps may play in the lives of people with an opioid addiction,” the report concludes. “We do not wish to see any of the apps we've identified in this report to be reflexively removed or banned from app stores such as Google Play, and instead recommend that privacy and security concerns be addressed by the developers and updated versions of apps be distributed to users. Patients should be aware that these services may violate expectations of privacy that someone would have with traditional addiction treatment and may not comply with the privacy and security protections for in-person treatment.”