Opioid Addiction Apps Share User Data

Opioid Treatment Apps and Data Sharing Concerns

A recent investigation has revealed that numerous opioid treatment recovery applications, widely utilized by individuals seeking help, are accessing and subsequently sharing sensitive user data with external third parties.

The Rise of Telehealth and App-Based Addiction Treatment

The COVID-19 pandemic spurred a significant increase in the popularity of telehealth services, including apps designed to facilitate opioid addiction treatment. This growth coincides with budgetary constraints and facility closures impacting traditional addiction treatment centers, leading to increased investment and governmental attention towards telehealth as a potential solution to the escalating addiction crisis.

Privacy Expectations and the New Report

Individuals utilizing these digital services reasonably anticipate the privacy of their healthcare information will be protected. However, a new report originating from ExpressVPN’s Digital Security Lab, in collaboration with the Opioid Policy Institute and the Defensive Lab Agency, indicates that certain apps are collecting and disseminating sensitive data to third parties, prompting concerns regarding their privacy and security protocols.

Apps Under Scrutiny

The study encompassed ten opioid treatment applications available on the Android platform: Bicycle Health, Boulder Care, Confidant Health, DynamiCare Health, Kaden Health, Loosid, Pear Reset-O, PursueCare, Sober Grid, and Workit Health. Collectively, these apps have been installed over 180,000 times and have secured more than $300 million in funding from both investment groups and governmental sources.

Data Collection Practices

The research demonstrated that the majority of these applications access unique identifiers associated with the user’s device. In several instances, this data was shared with third-party entities.

Specific Data Points Accessed

Of the ten apps analyzed, seven accessed the Android Advertising ID (AAID), a user-generated identifier that can be linked to other information to identify individuals. Five apps also obtained the devices’ phone number. Furthermore, three accessed the device’s unique IMEI and IMSI numbers, enabling unique device identification, and two accessed a users’ list of installed applications, potentially used to create a user “fingerprint” for tracking purposes.

Location Tracking and Bluetooth Concerns

Many of the examined apps also acquire location data, which, when combined with unique identifiers, enhances the ability to monitor an individual’s activities, habits, and interactions. Seven of the apps request Bluetooth connection permissions, a practice researchers find particularly concerning due to its potential for real-world location tracking.

Expert Commentary on Bluetooth Tracking

“Bluetooth enables what I refer to as proximity tracking,” explained Sean O’Brien, principal researcher at ExpressVPN’s Digital Security Lab. “For example, it can determine how long someone spends in a specific grocery store aisle or their proximity to other individuals.” He expressed significant concern regarding this capability.

Tracker SDKs and Data Brokers

Another significant concern is the utilization of tracker SDKs within these apps. These SDKs, or software development kits, are code bundles that facilitate app functionality, often including data collection. Frequently, they are provided at no cost in exchange for the collected data.

Nuances of Tracker Usage

While researchers acknowledge that not all tracker usage is inherently malicious, and developers may be unaware of their presence, they discovered a high prevalence of tracker SDKs in seven of the ten apps, indicating potential data-sharing activity. Some SDKs are specifically designed to collect and aggregate user data, even concerning their core functionality.

Data Collection Beyond Core Functionality

An app designed to provide navigation to a recovery center, for instance, might also track a user’s movements throughout the day and transmit that data to developers and third parties.

Kaden Health and Stripe Data Access

In the case of Kaden Health, Stripe – the app’s payment processor – could access the user’s list of installed apps, location, phone number, carrier name, AAID, IMEI, IMSI, and SIM serial number.

Concerns Regarding Data Access by Stripe

“The fact that an entity as substantial as Stripe has access to this information is quite alarming,” O’Brien stated. “It’s concerning because this data could be valuable to law enforcement. I also worry that information about individuals in treatment could impact health insurance decisions and employment opportunities.”

Kaden Health’s Response

Following the publication of ExpressVPN’s findings, Kaden Health reported removing Stripe from its mobile application after an app store review.

Lack of Federal Guidance and Potential Legal Issues

The researchers suggest that these data-sharing practices stem from a lack of clear U.S. federal guidance regarding the handling and disclosure of patient information. O’Brien also indicated that these actions could potentially violate 42 CFR Part 2, a law establishing strict controls over the disclosure of addiction treatment-related patient information.

Limitations of Existing Laws

Jacqueline Seitz, a senior staff attorney for health privacy at Legal Action Center, noted that this 40-year-old law has not been updated to encompass applications.

The Importance of Confidentiality in Treatment

“Confidentiality remains a primary concern for individuals hesitant to enter treatment,” Seitz explained. “While 42 CFR Part 2 recognizes the sensitive nature of substance use disorder treatment, it does not address apps. Current privacy laws are inadequate.”

Need for Industry Standards

“It would be beneficial to see leadership from the tech community to establish basic standards and acknowledge the collection of highly sensitive information, ensuring patients aren’t left navigating privacy policies during a health crisis,” Seitz added.

Lack of Dedicated Security Staff

Jonathan Stoltman, director at Opioid Policy Institute, attributed these practices to a lack of dedicated security and data privacy personnel within these startups. “Hospitals typically have a chief information officer, a chief privacy officer, or a chief security officer overseeing both physical and data security,” he stated. “None of these startups have that.”

AAID Collection and Privacy Concerns

“If you’re collecting the AAID, you’re not prioritizing privacy,” Stoltman emphasized, noting that almost all of these apps do so from the outset.

Kaden Health’s Internal Security Team

Kaden Health stated that while these roles are not publicly listed on its website, it maintains “a robust team dedicated to its privacy and security programs, including security, privacy, and technology officers.”

Google’s Response and Future Changes

Google acknowledged ExpressVPN’s findings but has not yet issued a comment. However, the report’s release coincides with Google’s plans to limit developer access to the Android Advertising ID, mirroring Apple’s recent efforts to allow users to opt out of ad tracking.

Recommendations for Users

ExpressVPN emphasizes the importance of informing patients that these apps may compromise privacy expectations. It also highlights the crucial role addiction treatment and recovery apps play in the lives of those struggling with opioid addiction. The organization recommends contacting the Office of Civil Rights through Health and Human Services to file a formal complaint if you or a family member used one of these services and find the data disclosure problematic.

Concluding Remarks

“This is a broader issue within the app economy, and telehealth is becoming part of it,” O’Brien concluded. “We need transparency, user awareness, and a demand for better practices.”

Recovery from addiction is possible. For help, please call the free and confidential treatment referral hotline (1-800-662-HELP) or visit findtreatment.gov. This article was updated with comment from Kaden Health.

Topics

More

Opioid Addiction Apps Share User Data - Privacy Concerns