Some Medical Apps Routinely Share Data

Marcia Frellick

March 21, 2019

Popular medical applications (apps) legally and routinely share user data, researchers have found, and often without making the implications clear to users.

Quinn Grundy, PhD, RN, assistant professor, faculty of nursing, University of Toronto, Ontario, Canada, and colleagues advise clinicians to be conscious of privacy risks when they use the apps personally and to warn patients of the risks when they recommend their use.

The researchers studied 24 medicine-related, interactive, top-rated apps available to the public in the United States, United Kingdom, Canada, and Australia. All of the apps were on the Android mobile platform and provided information about using, prescribing, administering, or dispensing medicine. Apps used in the analysis are both patient- and clinician-focused, and included Medscape's app.

Most Apps Shared User Data

To determine when and what types of user data were shared, researchers set up several dummy profiles and analyzed traffic during simulated use. Nineteen (79%) of the 24 apps tested shared some user data, the researchers report in an article published online March 20 in BMJ.

A total of 55 unique entities, owned by 46 parent companies, received user data, including developers and parent companies. Of those, 18 entities provided infrastructure-related services, such as cloud services and database platforms, and 37 (67%) provided services related to collecting and analyzing user data for purposes including advertising, social media, and user engagement.

The most commonly shared types of user data were the device name (63% of apps), operating system version (42%), internet browsing information (38%), email address (38%), Android ID (33%), and medication list (25%). Some apps also shared more personal information including name (21%) and date of birth (13%).

When examining which entities received data from the apps, the researchers found that and Alphabet (the parent company of Google) each received the most user data (24 transmissions), followed by Microsoft (14).

The authors note that even when personal identifiers are absent, technical information, such as device name and Android ID, can be important for privacy, especially when a company receives information from multiple sources.

"Many types of user data are unique and identifying, or potentially identifiable when aggregated," they write.

In addition, many of those who received and processed the data were found to have broad reach, suggesting a high degree of risk.

"The sharing of user data ultimately has real-world consequences in the form of highly targeted advertising or algorithmic decisions about insurance premiums, employability, financial services, or suitability for housing," Grundy and colleagues write.

Data from clinician-focused apps may be of particular interest to pharmaceutical companies, which can learn about prescribing habits and where to target advertising.

The authors note that although the collection and sharing of user data are common and legal, it is not necessarily in the best interest of users. "Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom," the researchers write.

In the meantime, the authors recommend that clinicians "be conscious about the choices they make in relation to their app use and, when recommending apps to consumers, explain the potential for loss of personal privacy as part of informed consent."

The authors note several limitations of their study, including the inclusion of only Android-based apps, which means they don't know whether or to what extent the iOS platform apps share data. In addition, the authors selected widely downloaded and highly rated apps, which may not be representative of other available apps.

This work was funded by a grant from the Sydney Policy Lab at the University of Sydney. The authors have reported no relevant financial relationships.

BMJ. 2019;364:l920. Full text

Follow Medscape on Facebook, Twitter, Instagram, and YouTube.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: