Experts respond to our study into telehealth privacy risks

As healthcare apps grow, the industry speaks out about what developers must consider when it comes to patient privacy.
App icon with a cross and and eye.

Last month, ExpressVPN Digital Security Lab published a report on telehealth apps for opioid recovery and treatment. In that investigation, we uncovered serious concerns around the collection and sharing of data, especially as they related to unique identifiers tied to patients.

Since its publication, the report has gained the attention of major media outlets and public-health organizations.

‘A substantial violation’

Jonathan J.K. Stoltman, Director of the Opioid Policy Institute, reaffirms the importance of our research: “Without this excellent technical report, patients, providers, and funders wouldn’t know the degree to which the collection and potential re-disclosure of healthcare data is happening with these services, much of which appears to be a substantial violation of medical ethics and norms.” 

Stoltman emphasizes the difficulty of choosing apps that respect privacy, saying, “If you just looked at the website and app descriptions, you would think these services protect patient data like any healthcare provider is expected to. Disappointingly, the reality is quite different.”

Among the tech outlets that covered our report, TechCrunch made sure to emphasize the role of identifiers that can follow patients in recovery long after usage of an app. “Of the 10 apps studied, seven access the Android Advertising ID (AAID), a user-generated identifier that can be linked to other information to provide insights into identifiable individuals,” it recounted. 

“Five of the apps also access the devices’ phone number; three access the device’s unique IMEI and IMSI numbers, which can also be used to uniquely identify a person’s device; and two access a users’ list of installed apps, which the researchers say can be used to build a ‘fingerprint’ of a user to track their activities.”

This tracking follows on the tail of more than a year of unclear guidance from U.S. authorities. As Financial Times points out, “The findings come as the rise of remote healthcare services during the pandemic has posed new privacy challenges. In the US, federal laws govern data-sharing in traditional healthcare settings but ‘in the emerging frontier of tele-health’ — a trend supported last year by the Centers for Disease Control and Prevention in line with social distancing guidelines.”

At ExpressVPN, we understand the importance of underscoring the real-world ecosystem that these apps are developed in. As our previous report on location-tracking apps points out, it can be difficult for developers to even understand what code may be bundled in their app and the ramifications of including third-party Software Development Kits (SDKs).

Where telehealth is concerned, the real-time impact of third-party SDKs is tangible. As Alcohol & Drug Abuse Weekly‘s coverage of our report has noted, “[S]martphones can inform someone’s sponsor — or, really, anyone depending on data communications — when that person is near any liquor store or bar. The sponsor can then call the user to remind them to stay sober.”

Looking ahead to better protections

It’s not all bad news, however. Our hope is that the information we bring to light in our investigations makes a real difference in security and privacy for end-users. This isn’t an impossible goal, and is actively being requested by healthcare professionals and doctors.

“Privacy and security safeguards can be built into telehealth and mobile technology platforms,” says H. Westley Clark, Dean’s Executive Professor of Public Health at Santa Clara University. “Thus, they should be. If they are not, users have a right to know.”

Our report serves the ExpressVPN Digital Security Lab’s mission by advancing public understanding of the digital landscape. In a few short weeks, we have opened up the debate about telehealth apps for opioid recovery and treatment. This coincides with deeper concerns about the impact of apps on users and their private lives.

U.S. Senator Ron Wyden (D-OR) drives the point home, saying, “Experts have warned for years that data collected by advertising companies from Americans’ phones could be used to track them and reveal the most personal details of their lives.”

In the past month, telehealth has been a focus of app vendors, with both Google and Apple making major pushes into this area. Combined with the emergence of vaccine passports and the associated doubts around their privacy, there is cause for concern across the industry. At ExpressVPN, we’ve focused on unique identifiers and their potential for use in location tracking. This has been demonstrated recently in the dating app Grindr, which has been used to pinpoint the location of a prominent member of the clergy. 

These targeting capabilities are no longer the stuff of science fiction and are now firmly a part of our world. Can we deliver telehealth solutions without this tracking, especially for vulnerable users seeking recovery from opioid addiction? Awareness and calls for change are the first steps.

A phone with a padlock.
Enjoy a safer online experience with powerful privacy protection
What is a VPN?
Principal Research, ExpressVPN Digital Security Lab