Several widely used opioid treatment recovery apps are accessing and sharing sensitive user data with third parties, a new investigation has found.
As a result of the COVID-19 pandemic and efforts to reduce transmission in the U.S, telehealth services and apps offering opioid addiction treatment have surged in popularity. This rise of app-based services comes as addiction treatment facilities face budget cuts and closures, which has seen both investor and government interest turn to telehealth as a tool to combat the growing addiction crisis.
While people accessing these services may have a reasonable expectation of privacy of their healthcare data, a new report from ExpressVPNâ€™s Digital Security Lab, compiled in conjunction with the Opioid Policy Institute and the Defensive Lab Agency, found that some of these apps collect and share sensitive information with third parties, raising questions about their privacy and security practices.
The report studied 10 opioid treatment apps available on Android: Bicycle Health, Boulder Care, Confidant Health. DynamiCare Health, Kaden Health, Loosid, Pear Reset-O, PursueCare, Sober Grid, and Workit Health. These apps have been installed at least 180,000 times, and have received more than $300 million in funding from investment groups and the federal government.
Despite the vast reach and sensitive nature of these services, the research found that the majority of the apps accessed unique identifiers about the userâ€™s device and, in some cases, shared that data with third parties.
Of the 10 apps studied, seven access the Android Advertising ID (AAID), a user-generated identifier that can be linked to other information to provide insights into identifiable individuals. Five of the apps also access the devicesâ€™ phone number; three access the deviceâ€™s unique IMEI and IMSI numbers, which can also be used to uniquely identify a personâ€™s device; and two access a usersâ€™ list of installed apps, which the researchers say can be used to build a â€œfingerprintâ€ of a user to track their activities.
Many of the apps examined are also obtaining location information in some form, which when correlated with these unique identifiers, strengthens the capability for surveilling an individual person, as well as their daily habits, behaviors, and who they interact with. One of the methods the apps are doing this is through Bluetooth; seven of the apps request permission to make Bluetooth connections, which the researchers say is particularly worrying due to the fact this can be used to track users in real-world locations.
â€œBluetooth can do what I call proximity tracking, so if youâ€™re in the grocery store, it knows how long youâ€™re in a certain aisle, or how close you are to someone else,â€ Sean Oâ€™Brien, principal researcher at ExpressVPNâ€™s Digital Security Lab who led the investigation, told TechCrunch. â€œBluetooth is an area that Iâ€™m pretty concerned about.â€
Another major area of concern is the use of tracker SDKs in these apps, which Oâ€™Brien previously warned about in a recent investigation that revealed that hundreds of Android apps were sending granular user location data to X-Mode, a data broker known to sell location data to U.S. military contractors, and now banned from both Apple and Googleâ€™s app stores. SDKs, or software development kits, are bundles of code that are included with apps to make them work properly, such as collecting location data. Often, SDKs are provided for free in exchange for sending back the data that the apps collect.
â€œConfidentiality continues to be one of the major concerns that people cite for not entering treatmentâ€¦ existing privacy laws are totally not up to speed.â€ Jacqueline Seitz, Legal Action Center
While the researchers keen to point out that it does not categorize all usage of trackers as malicious, particularly as many developers may not even be aware of their existence within their apps, they discovered a high prevalence of tracker SDKs in seven out of the 10 apps that revealed potential data-sharing activity. Some SDKs are designed specifically to collect and aggregate user data; this is true even where the SDKâ€™s core functionality is concerned.
But the researchers explain that an app, which provides navigation to a recovery center, for example, may also be tracking a userâ€™s movements throughout the day and sending that data back to the appâ€™s developers and third parties.
In the case of Kaden Health, Stripe â€” which is used for payment services within the app â€” can read the list of installed apps on a userâ€™s phone, their location, phone number, and carrier name, as well as theirÂ AAID, IP address, IMEI, IMSI, and SIM serial number.
â€œAnÂ entity as large as Stripe having an app share that information directly is pretty alarming.Â Itâ€™s worrisome to me because I know that information could be very useful for law enforcement,â€ Oâ€™Brien tells TechCrunch.Â â€œI also worry that people having information about who has been in treatment will eventually make its way into decisions about health insurance and people getting jobs.â€
The data-sharing practices of these apps are likely a consequence of these services being developed in an environment of unclear U.S. federal guidance regarding the handling and disclosure of patient information, the researchers say, though Oâ€™Brien tells TechCrunch that the actions could be in breach of 42 CFR Part 2, a law that outlines strong controls over disclosure of patient information related to treatment for addiction.
Jacqueline Seitz, a senior staff attorney for health privacy at Legal Action Center, however, said this 40-year-old law hasnâ€™t yet been updated to recognize apps.
â€œConfidentiality continues to be one of the major concerns that people cite for not entering treatment,â€ Seitz told TechCrunch. â€œWhile 42 CFR Part 2 recognizes the very sensitive nature of substance use disorder treatment, it doesnâ€™t mention apps at all. Existing privacy laws are totally not up to speed.
â€œIt would be great to see some leadership from the tech community to establish some basic standards and recognize that theyâ€™re collecting super-sensitive information so that patients arenâ€™t left in the middle of a health crisis trying to navigate privacy policies,â€ said Seitz.
Another likely reason for these practices is a lack of security and data privacy staff, according to Jonathan Stoltman, director at Opioid Policy Institute, which contributed to the research. â€œIf you look at a hospitalâ€™s website, youâ€™ll see a chief information officer, a chief privacy officer, or a chief security officer thatâ€™s in charge of physical security and data security,â€ he tells TechCrunch. â€œNone of these startups have that.â€
â€œThereâ€™s no way youâ€™re thinking about privacy if youâ€™re collecting the AAID, and almost all of these apps are doing that from the get-go,â€ Stoltman added.
Google is aware of ExpressVPNâ€™s findings but has yet to comment. However, the report has been released as the tech giant prepares to start limiting developer access to the Android Advertising ID, mirroring Appleâ€™s recent efforts to enable users to opt out of ad tracking.
While ExpressVPN is keen to make patients aware that these apps may violate expectations of privacy, it also stresses the central role that addiction treatment and recovery apps may play in the lives of those with opioid addiction. It recommends that if you or a family member used one of these services and find the disclosure of this data to be problematic, contact the Office of Civil Rights through Health and Human Services to file a formal complaint.
â€œThe bottom line is this is a general problem with the app economy, and weâ€™re watching telehealth become part of that, so we need to be very careful and cautious,â€ said Oâ€™Brien. â€œThere needs to be disclosure, users need to be aware, and they need to demand better.â€
Recovery from addiction is possible. For help, please call the free and confidential treatment referral hotline (1-800-662-HELP) or visit findtreatment.gov.