Digital health care has its advantages. Privacy isn’t one of them.
Facebook has been caught receiving patient information from hospital websites through its tracker tool. Google stores our health-related internet searches. Mental health apps leave room in their privacy policies to share data with unlisted third parties. Users have few protections under the Health Insurance Portability and Accountability Act (HIPAA) when it comes to digital data, and popular health apps share information with a broad collection of advertisers, according to our investigation.
Most of the data being shared doesn’t directly identify us. For example, apps may share a string of numbers called an “identifier” that’s linked to our phones rather than our names. Not all the recipients of this data are in the ad business — some provide analytics showing developers how users move around their apps. And companies argue that sharing which pages you visit, such as a page titled “depression,” isn’t the same as revealing sensitive health concerns.
But privacy experts say sending user identifiers along with key words from the content we visit opens consumers to unnecessary risk. Big data collectors such as brokers or ad companies could piece together someone’s behavior or concerns using multiple pieces of information or identifiers. That means “depression” could become one more data point that helps companies target or profile us.
To give you a sense of the data sharing that goes on behind the scenes, The Washington Post enlisted the help of several privacy experts and companies, including researchers at DuckDuckGo, which makes a variety of online privacy tools. After their findings were shared with us, we independently verified their claims using a tool called mitmproxy, which allowed us to view the contents of web traffic.
What we learned was that several popular Android health apps including Drugs.com Medication Guide, WebMD: Symptom Checker and Period Calendar Period Tracker gave advertisers the information they’d need to market to people or groups of consumers based on their health concerns.
The Drugs.com Android app, for example, sent data to more than 100 outside entities including advertising companies, DuckDuckGo said. Terms inside those data transfers included “herpes,” “HIV,” “adderall” (a drug to treat attention-deficit/hyperactivity disorder), “diabetes” and “pregnancy.” These keywords came alongside device identifiers, which raise questions about privacy and targeting.
Drugs.com said it’s not transmitting any data that counts as “sensitive personal information” and that its ads are relevant to the page content, not to the individual viewing that page. When The Post pointed out that in one case Drugs.com appeared to send an outside company the user’s first and last name — a false name DuckDuckGo used for its testing — it said that it never intended for users to input their names into the “profile name” field and that it will stop transmitting the contents of that field.
Among the terms WebMD shared with advertising companies along with user identifiers were “addiction” and “depression,” according to DuckDuckGo. WebMD declined to comment.
Period Calendar shared information including identifiers with dozens of outside companies including advertisers, according to our investigation. The developer didn’t respond to requests for comment.
What goes on at the ad companies themselves is often a mystery. But ID5, an adtech company that received data from WebMD, said its job is to generate user IDs that help apps make their advertising “more valuable.”
“Our job is to identify customers, not to know who they are,” ID5 co-founder and CEO Mathieu Roche said.
Jean-Christophe Peube, executive vice president at adtech company Smart, which has since acquired two other adtech firms and rebranded to Equativ, said the data that it receives from Drugs.com can be used to put consumers into “interest categories.”
Peube said in a statement shared with The Post that interest-based ad targeting is better for privacy than using technology like cookies to target individuals. But some consumers may not want their health concerns used for advertising at all.
Knowing you by a number or interest group rather than a name wouldn’t stop advertisers from targeting people with particular health concerns or conditions, said Pam Dixon, executive director of nonprofit research group World Privacy Forum.
We consent to these apps’ privacy practices when we accept their privacy policies. But few of us have time to wade through the legalese, says Andrew Crawford, senior counsel at the Center for Democracy and Technology.
“We click through quickly and accept ‘agree’ without really contemplating the downstream potential trade-offs,” he said.
Those trade-offs could take a few forms, like our information landing in the hands of data sellers, employers, insurers, real estate agents, credit granters or law enforcement, privacy experts say.
Even small bits of information can be combined to infer big things about our lives, says Lee Tien, a senior staff attorney at the privacy organization Electronic Frontier Foundation. Those tidbits are called proxy data, and more than a decade ago, they helped Target figure out which of its customers were pregnant by looking at who bought unscented lotion.
“It's very, very easy to identify people if you have enough data,” Tien said. “A lot of times companies will tell you, ‘Well, that's true, but nobody has all the data.’ We don't actually know how much data companies have.”
Some lawmakers are trying to rein in health data sharing. California State Assembly member Rebecca Bauer-Kahan introduced a bill in February that could redefine “medical information” in the state’s medical privacy law to include data gathered by mental health apps. Among other things, this would prohibit the apps from using “a consumer’s inferred or diagnosed mental health or substance use disorder” for purposes other than providing care.
The Center for Democracy and Technology, along with the industry group eHealth Initiative, has proposed a voluntary framework to help health apps protect information about their users. It doesn’t limit the definition of “health data” to services from a professional, nor to a list of protected conditions, but includes any data that could help advertisers learn or infer about a person’s health concerns. It also calls for companies to publicly and conspicuously promise not to associate “de-identified” data with any person or device — and to require their contractors to promise the same.
So what can you do? There are a few ways to limit the information health apps share, such as not linking the app to your Facebook or Google account during sign-in. If you use an iPhone, select “ask app not to track” when prompted. If you’re on Android, reset your Android Ad ID frequently. Tighten up your phone’s privacy settings, whether you use an iPhone or Android.
If apps ask for extra data-sharing permissions, say no. If you’re concerned about the data you’ve already provided, you can try submitting a data deletion request. Companies aren’t obligated to honor the request unless you live in California because of the state’s privacy law, but some companies say they’ll delete data for anyone.