During the still ongoing COVID-19 pandemic, the entire digital health space saw a sharp increase in demand. Telehealth in particular grew like never before, allowing patients to have virtual consultations with physicians who may be on the other side of the country. However, the increased adoption brought along increased privacy and security challenges.
ExpressVPN, which is one of the best VPNs in the world, wanted to dive deeper into said privacy and security challenges with a focus on patient records for addiction treatment and recovery — which are extremely sensitive.
Millions of Americans are impacted by addiction, inflicting a heavy toll on communities across the U.S. in the past two decades. As the opioid crisis continues, people seeking treatment for addiction will be increasingly drawn to telehealth solutions delivered by their smartphones.
How the research was conducted
To make the research possible, ExpressVPN Digital Security Lab partnered with the Opioid Policy Institute (OPI) and the Defensive Lab Agency, as well as researchers from Yale University and the Legal Action Center (LAC) — who provided their feedback and input. All of the contributors agree that the findings include troubling and conspicuous signs of privacy and, potentially, security issues.
The studied apps have a vast reach, coverage in all 50 states, and more than $300 million in funding from investment groups and the federal government. In some cases, these apps represent a growing and influential social networks.
For instance, Loosid alone claims over 100,000 users and 1.4 million “dating interactions” and is marketed as “the world’s most popular sobriety and recovery app,” while Sober Grid is branded “the world’s most popular mobile sober community.”
The findings
Arguably the most alarming revelation from the study of ten opioid addiction treatment and recovery apps is the consistent access of unique identifiers. These range from software-defined IDs to those that are tied to the smartphone’s hardware and the consumer’s account with a cell provider. For example:
- 7 out of 10 apps access the advertising ID
- 5 apps access the phone number
- 8 apps access other telephony information such as the carrier name
- 3 apps access the IMEI and IMSI from the cell provider
- 1 app accesses the serial number from the cell SIM card
- 3 apps access the network information/IP address
- 1 app accesses the hardware address/MAC address
It is unclear why such information is collected for addiction treatment, but it should certainly be considered sensitive in that context. Other smartphone data collected by many of these apps offers opportunities for identification and surveillance. This includes logs of device activity, the list of other apps installed on the device, and both coarse and fine location data.
Though some of the apps analyzed did not require detailed sensor input, such as PursueCare, others requested permission for detailed sensor data. For example, 7 out of the 10 apps request permission to make Bluetooth connections and 7 out of 10 apps also access location data, if available. Correlated with data from other smartphones and IoT hardware such as beacons, smart speakers, and even the sidewalks in smart cities – this information can be utilized to compile data profiles on an individual person.
Better privacy is needed…
Though each app may differ in its implementation, the sheer amount of data available to the majority of the studied apps raises questions about the privacy and security practices of telehealth apps.
That being said, ExpressVPN wanted to emphasize the central role that addiction treatment and recovery apps may play in the lives of people with opioid addiction. The availability of telehealth is perhaps more prescient than ever, and traditional brick-and-mortar addiction treatment facilities face unprecedented budget crises and closures related to COVID-19.
For this reason, this criticism of telehealth apps should not be misconstrued as calls for their removal from distribution or bans on their usage. Instead, ExpressVPN wants to place emphasis on the importance of patient and end-user privacy, “shining a light on the growing and prescient concerns within the domain of telehealth treatment.”
And in case you wonder, we do strongly suggest ExpresVPN, which you can get from the link below. 😉
Pros
Cons
- Feature-rich yet easy to use
- One of the best VPNs around
- Strong no-logging policy
- Reliable support you can reach 24/7
- Limited number of servers in Africa and the Middle East
- Kinda pricey