Some health apps putting users’ personal information at risk

“Furthermore, 66 percent of apps sending identifying information over the Internet did not use encryption and 20 percent did not have a privacy policy”, the report states.

Several smartphone health apps backed by the NHS could be putting users’ privacy at risk, according to a study by Imperial College London (PDF link).

Researchers have discovered that a vast number of health apps do not properly secure customer data and have poor privacy standards that could allow personal information to be compromised.

In the United Kingdom, the NHS is aiding its citizens by running a project called Health Apps Library, a database of officially-approved health monitoring applications.

In a paper published today in BMC Medicine, “Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment”, researchers examined 79 separate apps included on the NHS’ “Health App Library”, on both Android and iOS.

“However, it was assumed that accredited apps – those that had been badged as trustworthy by organisational programs such as the UK’s NHS Health Apps Library – would be free of such issues”. One in six also sent information to third parties such as advertisers, despite privacy policies not mentioning this could happen.

Apps in NHS England’s Health Apps Library are vetted for data protection and medical accuracy by the health service, but the study found that numerous apps did not meet basic security standards and were sending private data without encrypting it.

More and more people are using apps to self-diagnose, help get themselves healthy, and generally just keep tabs on their own well-being.

This puts users at risk of identity theft and fraud, they said. “Many apps ask for a broad range of permissions and collect much more data than we might expect”, he said.

They were supposed to have been checked to make sure that as well as being clinically safe, they comply with data protection laws.

The researchers used a hacking procedure known as a “man-in-the-middle attack” to capture the data sent by an app over the internet.

“The study is a signal and an opportunity to address this because the NHS would like to see strategic investment in apps to support people in the future”, Huckvale told the BBC.

They added: “We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated”.

In a statement, NHS England told the BBC that a new, more thorough NHS endorsement model for apps had begun piloting this month.