May is mental health awareness month! In pursuing help or advice for mental health struggles (beyond just this month, of course), users may download and use mental health apps. Mental health apps are convenient and may be cost effective for many people.

However, while these apps may provide mental health resources and benefits, they may be harvesting considerable amounts of information and sharing health-related data with third parties for advertising and tracking purposes.

Disclaimer: This post is not meant to serve as legal or medical advice. This post is for informational purposes only. If you are experiencing an emergency, please contact emergency services in your jurisdiction.

Understanding HIPAA

Many people have misconceptions about the Health Insurance Portability and Accountability Act (HIPAA) and disclosure/privacy.

According to the US Department of Health and Human Services (HHS), HIPAA is a “federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.” There is a HIPAA Privacy Rule and a HIPAA Security Rule.

The Centers for Disease Control and Prevention (CDC) states the Privacy Rule standards “address the use and disclosure of individuals’ health information by entities subject to the Privacy Rule.” It’s important to understand that the Privacy Rule covers entities subject to it.

Entities include healthcare providers, health plans, health clearing houses, and business associates (such as billing specialists or data analysts). Many mental health apps aren’t classified as either; also, though there are a few subject to HIPAA, some have been documented not to actually be compliant with HIPAA rules.

What does this mean? Many mental health apps are not considered covered entities and are therefore “exempt” (for lack of better word) from HIPAA. As such, these apps appear to operate in a legal “gray area,” but that doesn’t mean their data practices are ethical or even follow proper basic information security principles for safeguarding data…

Even apps that collect PHI information protected by HIPAA may still share/use your information that doesn’t fall under HIPAA protections.

Mental health apps collect a wealth of personal information

Naturally, data collected by apps falling under the “mental health” umbrella varies widely (as do the apps that fall under this umbrella.)

However, most have users create accounts and fill out some version of an “intake” questionnaire prior to using/enrolling in services. These questionnaires vary by service, but may collect information such as:

• name
• address
• email
• phone number
• employer information

Account creation generally and at minimum requires user email and a password, which is indeed routine.

It’s important to note your email address can serve as a particularly unique identifier – especially if you use the same email address everywhere else in your digital life. If you use the same email address everywhere, it’s easier to track and connect your accounts and activities across the web and your digital life.

Account creation may also request alternative contact information, such as a phone number, or supplemental personal information such as your legal name. These can and often do serve as additional data points and identifiers.

It’s also important to note that on the backend (usually in a database), your account may be assigned identifiers as well. In some cases, your account may also be assigned external identifiers – especially if information is shared with third parties.

Intake questionnaires can collect particularly sensitive information, such as (but not necessarily limited to):

• past mental health experiences
• age (potentially exact date of birth)
• gender identity information
• sexual orientation information
• other demographic information
• health insurance information (if relevant)
• relationship status

Question from BetterHelp intake questionnaire found in FTC complaint against BetterHelp

These points of sensitive information are rather intimate and can easily be used to identify users – and could be disasters if disclosed in a data breach or to third party platforms.

These unique and rather intimate data points can be used to exploit users in highly targeted marketing and advertising campaigns – or perhaps even used to facilitate scams and malware via advertising tools third parties who may receive such information provide to advertisers.

Note: If providing health insurance information, many services require an image of the card. Images can contain EXIF data that could expose a user’s location and device information if not scrubbed prior to upload.

Information collection extends past user disclosure

Far more often than not, information collected by mental health apps extends past information a user may disclose in processes such as account creation or completing intake forms – these apps often harvest device information, frequently sending it off the device and to their own servers.

For example, here is a screenshot of the BetterHelp app’s listing on the Apple App Store in MAY 2024:

The screenshot indicates BetterHelp uses your location and app usage data to “track you across apps and websites owned by other companies.” We can infer from this statement that BetterHelp shares your location information and how you use the app with third parties, likely for targeted advertising and tracking purposes.

The screenshot also indicates your contact information, location information, usage data, and other identifiers are linked to your identity.

Note: Apple Privacy Labels in the App Store are self-reported by the developers of the app.

This is all reinforced in their updated privacy policy (25 APR 2024), where BetterHelp indicates they use external and internal identifiers, collect app and platform errors, and collect usage data of the app and platform:

In February 2020, an investigation revealed BetterHelp also harvested the metadata of messages exchanged between clients and therapists, sharing them with platforms like Facebook for advertising purposes. This was despite BetterHelp “encrypting communications between client and therapist” – they may have encrypted the actual message contents, but it appears information such as when a message was went, the receiver/recipient, and location information was available to the servers… and actively used/shared.

While this may not seem like a big deal at first glance – primarily because BetterHelp is not directly accessing/reading message contents – users should be aware that message metadata can give away a lot of information.

Cerebral, a mental health app that does fall under the HIPAA rules, also collects device-related data and location data, associating them with your identity:

According to this screenshot, Cerebral shares/uses app usage data with third parties, likely for marketing and advertising purposes. Specifically, they…

*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at: https://avoidthehack.com/mental-health-privacy