Report: Addiction treatment apps pose privacy risks


This article has been updated with a statement from Bicycle Health. 

Several past reports have raised privacy concerns in mobile health apps, especially in data being shared with third-party advertisers and analytics providers. Even in apps offering treatment for opioid use disorder, which should carry additional privacy protections, the same problems remain.

An analysis of 10 addiction treatment and recovery apps found that almost all of them were accessing sensitive user data and sharing it with third parties. The report was conducted by ExpressVPN’s Digital Security Lab, with the Opioid Policy Institute and the Defensive Lab Agency.

During the height of the pandemic, more patients have turned to virtual treatment as in-person clinics closed and telehealth regulations were temporarily loosened. ExpressVPN analyzed 10 apps that had been installed 180,000 times. Many of them have also raised recent funding.

The list of apps includes:

  • Bicycle Health
  • Boulder Care
  • Confidant Health
  • DynamiCare Health
  • Kaden Health
  • Loosid
  • Pear Reset-O
  • PursueCare
  • Sober Grid
  • Workit Health

While people would expect an app-based visit to have the same privacy protections as an in-person clinic, that often isn’t the case.

For example, seven of the 10 apps made users’ advertising ID available to Google. This is a “big deal” because it’s a unique identifier, said Sean O’Brien, principal researcher for ExpressVPN’s Digital Security Lab.

“An advertising ID doesn’t have anything to do with clinical care. It’s not something that should be there,” said Opioid Policy Institute Director Jonathan Stoltman in a phone interview. “If I walk into an addiction treatment clinic and sign in to register for the day and they provide all of that information to Google, that’s well beyond what any medical facility would do. Patients have reasonable expectations that that’s not happening.”

Other identifiers were also used, such as requesting access to location data or Bluetooth connections. Seven of the apps made requests for location information, and three of them included SDK trackers from Facebook Analytics.

Other, less obvious requests had privacy implications. Two apps, Bicycle Health and Kaden Health, were able to access a list of all installed apps. Kaden also had the ability to share several types of information with payment provider Stripe, including users’ location, IP address and phone number.

Loosid Health, a sobriety app that claims  it has 100,000 users, had access to phone numbers, carriers, locations and IP addresses.

In an emailed statement, Bicycle Health CEO Ankit Gupta wrote that the company’s app only uses data that is necessary to provide safe treatment.

“We are closely evaluating our partnership with our SDK provider Branch and are assessing any potential issues associated with their collection of advertising identification data,” he wrote. “We do not anticipate any risks to our customers’ privacy.”

Kaden Health and Loosid Health did not respond to requests for comment at the time of publication.

Some of these instances could be the result of embedding third party code without auditing what information is actually shared.

“I don’t want to ascribe malice on the part of the developers. It’s quite possible that the choices they’ve made from a software build perspective, or the contractors they hired to build the app, they made those choices and therefore their data is at risk,” O’Brien said. “Why it’s a problem in this context: it’s very private, very sensitive information that would normally not be shared in a clinical setting.”

It’s also worth noting that there were a few exceptions. PursueCare did not share any known personal information with third parties, according to the report.  Pear Therapeutics’ Reset-O app did have the ability to access users’ phone numbers and carriers, but did not request any other permissions.

While these patients should be protected under federal privacy laws, like with other health apps, there’s some ambiguity. In addition to HIPAA, any information related to substance use disorder treatment should be subject to additional confidentiality protections under 42 CFR Part 2. A patient’s advertising ID would be considered protected health information under both of these health laws, according to Jacqueline Seitz, a senior staff attorney for health privacy with the Legal Action Center.

“Rather, the issue is really figuring out whether these laws apply to the information in the first place,” Seitz wrote in an email. “HIPAA only applies to certain types of entities and their contractors, and Part 2 only applies to certain types of addiction treatment programs and entities that receive records from those treatment programs.”

At the end of the day, the researchers hope their results will lead app developers to more carefully scrutinize their work, while still keeping virtual care available for patients who need it.

“These apps have a very important purpose for a lot of people who are very vulnerable,” O’Brien said. “I hope this has a net positive effect.”

If you are in the U.S. and in need of help, please call the free and confidential treatment referral hotline (1-800-662-HELP) or visit findtreatment.gov

Photo credit: Zhuyufang, Getty Images