Health app data breaches are becoming commonplace as more and more companies are failing to keep their customer’s information secure. But why exactly has there been a rise in health app data breaches over the past few years?
Any organisation that stores the personal data of its customers, current employees and former employees, has a legal obligation to keep said data secure. Unfortunately, not every company can uphold this responsibility, which often results in devastating data breaches.
The health app industry is one sector that has experienced a huge increase in the number of data breaches over the past few years, which raises several questions, the most important being – ‘why’?
So, whether you’ve been using a health app and are looking to make a claim if your personal data has been breached, or you simply want to know more about what has caused the boom in the number of breaches, this post should be of particular interest to you.
What Factors Have Contributed to the Rise in Health App Data Breaches?
Most Health Apps Are Found to Have Weak Security
In 2020, an assessment carried out on some of the most popular mobile health apps revealed several serious security vulnerabilities. The study provided some explanation as to why the number of data breaches is continually on the rise.
Weak encryption was found in 91 per cent of the apps that were assessed, putting them at risk of data exposure and intellectual property theft.
This particular issue may simply be down to the way the apps are designed, as well as the designer’s approach to security. Speaking on the matter, Bill Horne, VP and GM of Intertrust Secure Systems claimed: "There are numerous security solutions that can help strengthen apps, but everything begins with the internal priorities and approach of organisations.
"Most organisations still take a very reactive approach towards security. They need to be more proactive. A strong security policy for software development ensures that security best practices are employed from the beginning."
Health Apps Play ‘Fast and Loose’ With User Data
The Federal Trade Commission (FTC) has warned that health apps and devices that collect or use health information are routinely being caught playing ‘fast and loose’ with user data, leaving sensitive health information susceptible to hacks and breaches.
This relates the insecure transmission of user data, including geolocation, to the unauthorised dissemination of data to advertisers and other third parties.
In a step to rectify this issue, the FTC has warned health apps that they must notify customers if their data is breached or shared with third parties without their permission. If companies don’t comply, the FTC has claimed it will vigorously enforce fines of $43,792 per violation, per day.
Simple Human Error
The fact of the matter is that most data breaches, regardless of the industry, are caused by simple human error. A data breach can be, and often is, caused by a mistake as simple as an email or letter being sent to the wrong recipient.
Specifically looking at health apps, a reoccurring theme tends to centre around a failure to properly secure online databases, which is the responsibility of the app owners, or specific individuals within the company.
Human error is the second most common cause of data breaches, accounting for 22% of reported cases. This demonstrates just how easy it can be for a simple mistake to escalate into a serious situation.
Examples of Recent Health App Data Breaches
GetHealth Lose 60 Million Customer Records
In September 2021, an unsecured database that contained over 61 million records related to wearable technology and fitness services was left exposed online. Following an investigation, it was found that the database in question belonged to GetHealth.
GetHealth accesses health and wellness data from hundreds of wearables, medical devices and other apps, pulling data from sources such as Fitbit, Misfit Wearables, Strava and Google Fit.
The online database containing the data was accessible without the need for a password, meaning millions of records with potentially sensitive data were out in the open for all to see.
The data contained in the repository was said to include names, dates of birth, weight, height, gender and GPS logs. It was unclear how long the records were exposed or who may have been able to access the data.
Babylon Health Suffer ‘Software Error’
Babylon Health was forced to acknowledge that its GP video appointment app suffered a data breach in 2020. The firm was first alerted to the issue after one of its users discovered that they had been given access to video recordings of other patients’ consultations.
"On the afternoon of Tuesday 9 June, we identified and resolved an issue within two hours whereby one patient accessed the introduction of another patient's consultation recording," Babylon said of the data breach.
"Our investigation showed that three patients, who had booked and had appointments today, were incorrectly presented with, but did not view, recordings of other patients' consultations through a subsection of the user's profile within the Babylon app."
"This was the result of a software error rather than a malicious attack," it continued.
"The problem was identified and resolved quickly.”
The Information Commissioner’s Office (ICO), the body responsible for overseeing such breaches declared that Babylon would face no further action.
Flo Share Users’ Health Data with Third-Party Analytics and Marketing Services
Flo, a period and fertility tracking app used by over 100 million people, faced allegations at the start of 2021 that they were sharing health data with third-party app analytics and marketing services, in contrast to prior promises.
The FTC said that press coverage of Flo users sharing users’ data with third-party analytics and marketing firms including Facebook and Google had led to hundreds of complaints. The app only stopped leaking users’ health data following the negative press coverage.
The FTC reached a settlement with Flo and, under the terms, the app was prohibited from misrepresenting the purposes for which it collects, maintains, uses or discloses the data.
Will Health App Data Breaches Continue to be on the Rise?
In this post, we’ve provided some insight into the recent rise of health app data breaches, as well as looking at some recent examples to demonstrate how complex the current situation is.
Given that various authorities are cracking down on health apps that are responsible for data breaches, the next few years may see a change in the pattern, but only time will tell if this is the case.
Have you ever been the victim of a health app data breach? If so, why not leave a comment with your experiences below?
Michael Jenkins
Michael is a freelance writer specialising in healthcare technologies. With a BSc in Medical Science and a keen interest in AI, Michael enjoys writing about data-breaches, the advancement of medical devices, and cloud and blockchain computing.
