How Wellness Apps Can Compromise Your Privacy

These apps can help with mental health, but their data is up for sale

David Hoffman and Rachele Hendricks-Sturrup discuss privacy and wellness apps

“People perceive that it's private, they perceive that it's protected, but we know in fact that it's not,” said Dr. David Reitman, medical director at the American University Student Health Center, who, with Marc Groman, a privacy and information risk management expert, led off the day’s discussion.

“It is a race to be first, not to protect privacy,” Groman said, referring to the competition in the app-creation space. “The laws that apply in this space stink. You, the customer, need to say this is not OK.”

Technology Creates Privacy Challenges

The panel discussion that followed was moderated by David Hoffman, a professor of the practice of cybersecurity policy at the Sanford School of Public Policy and senior lecturing fellow at Duke Law. It was meant to draw attention to the challenges created by today’s technology and to explore how personal health data is collected as well as potential legal and policy solutions.

Hoffman, along with Jolynn Dellinger, senior lecturing fellow at Duke Law and at the Duke Initiative for Science and Society, created Duke’s Data Privacy Day symposium. From 2007 to 2013, Dellinger worked as the founding program manager for Data Privacy Day.

Video of the full symposium can be seen on the Sanford School of Public Policy website.

Data Collection Goes Beyond Apps

Panelist Rachele Hendricks-Sturrup, research director of Real-World Evidence (RWE) at the Duke-Margolis Institute for Health Policy in Washington, D.C., said the collection of data is far-reaching and can include geolocation information (did you visit Planned Parenthood?); credit card history (did you use it for a medical co-pay?); music streaming (are you downloading meditation music?)

“It's about to what extent can data be generated and used to draw conclusions or to make inferences about my health or the population's health,” Hendricks-Sturrup said.

Congress Fails to Protect Consumers

While Congress has given lip service to creating health care data privacy laws, little has been done to develop comprehensive legislation. Instead, the task has fallen either to individual states or to the Federal Trade Commission, said Maneesha Mithal, a partner in the privacy and cybersecurity practice in the Washington, D.C., office of Wilson Sonsini Goodrich & Rosati.

Mithal previously worked in the Federal Trade Commission’s (FTC) Division of Privacy and Identity Protection.

“The FTC began to use its general authority to go after some of these unsavory practices in the health privacy area,” Mithal said.

The FTC has been the chief federal agency on privacy policy and enforcement since the 1970s, when it began enforcing one of the first federal privacy laws – the Fair Credit Reporting Act.

For example, in March 2023, the FTC banned BetterHelp from revealing consumers’ data to Facebook and other targeted advertising and required it to pay $7.8 million to consumers to settle charges that it revealed consumers’ sensitive data with third parties. The data included email addresses, IP addresses and even health questionnaire information shared by patients to the online counseling services company.

Data Brokers Seize on Opportunities

Selling personal information to so-called data brokers (third parties who purchase information) is big business, said Justin Sherman, an adjunct professor at the Sanford School of Public Policy, where he runs its research program on data brokerage. His research has brought him to testify before Congress, and brief White House officials and policymakers around the world.

Information purchased by these brokers can range from demographic details such as age and gender, to purchasing habits, medical conditions and financial history.

“You can go out there and buy lists of people with cancer, people suffering from depression, people who have had thoughts of suicide, just like you can buy (lists of) millennial coffee drinkers in Manhattan,” says Sherman. “There are certainly more innocuous lists, but the mental health space orients around the conditions people have, the facilities they visit for treatment, even specific prescriptions.”

Tim Sparapani, a legislative, legal and strategic consultant, paraphrased Shakespeare to convey his thoughts on existing health privacy law: “I come not to praise HIPAA, but to bury it,” he said.

“If you were going to try to create a health privacy law, you would think about the public policy goals that might be achieved by it and you'd realize, I think, that HIPAA fails each and every one of these tests,” Sparapani said.

Panelists agreed that waiting for Congress to act isn’t the answer to data privacy protection. Consumers need to educate themselves about what is being shared, states are increasingly passing laws but it’s the FTC that has emerged as the leader in health data privacy protection.