Making booking appointments, ordering prescriptions and receiving health advice easier than ever, mobile health apps are used by many to personalise their healthcare.

However, users could be unknowingly and legally sharing their medical data with third parties via commercial health apps, according to the British Medical Journal.

This follows reports last year that Australian appointment-booking app HealthEngine had shared users’ details with personal injury lawyers.

This has sparked a debate surrounding the wider issue of health data privacy, and what companies should be allowed to do with it, with many uncomfortable with the idea of advertisers profiling users based on sensitive information.

The BMJ has conducted an investigation into the issue, and found that many popular health apps are sharing user data with third parties without users realising.

Published in the BMJ, the study looked at the top rated medical apps for Android for users in the United Kingdom, United States, Australia, and Canada.

Of the 821 apps screened, the study identified 24 apps related to medication management that requested permissions related to user data.

Of these 24 apps, 79% engaged in data sharing, with 67% provided services related to the “collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks” and 28 types of user data shared. Although the data is anonymised, meaning it is unlikely users could be identified from it, according to IT Pro, apps shared sensitive data such as blood pressure, Android ID, birthdays, email addresses and locations with third parties.

This means that advertisers could potentially use this information to target ads based on personal health data as users browse the internet.

The BMJ has concluded that this practice is routine and “far from transparent” and both app users and clinicians should be aware of this. Although apps may have permission to use user data, this is often hidden in small print and not widely known. To remedy this, developers should “disclose all data sharing practices and allow users to choose precisely what data are shared and with whom”.

Mark Noctor, VP EMEA at Arxan Technologies believes that data sharing puts organisations at risk of serious data breaches:

 “With the health apps sharing data with third parties, not only is a patient’s medical history, medication details, and other personal information being shared, there is also a much higher risk of this data being leaked.

“Users of mobile health apps and IT decision makers with insights into the security of mobile health apps feel that their mobile apps are adequately secure. In fact, most feel that app developers are doing everything they can to protect their health apps. However, perception is not reality. Most health apps have significant vulnerabilities and the impact for healthcare organisations and health app users can be devastating.”

He believes that greater testing is needed to ensure that apps are secure:

“As a baseline, before apps come onto the market, medical device manufacturers and developers need to thoroughly test the applications to ensure they are effectively protected against cyber-attacks and exploits, and equally companies who decide to share their app’s data with third parties need to be certain those third-party apps are also secure. The healthcare community should understand this concept better than anyone – just as prevention saves lives and reduces care costs, this same approach needs to apply to app security.”