Health apps encourage us to pour personal information once shared only with doctors into software that lives on our mobile devices. As we connect ourselves to services that monitor our health and behavior, security questions arise, especially when flaws in these services are exposed.
Glow, the period and fertility tracker app, is the latest health tracking app to come under fire for security issues. Consumer Reports discovered the app had multiple vulnerabilities that let someone who knew a user's email access their personal data, as well as a flaw that allowed someone to access personal information like emails, passwords, and posts in the app's community forums.
"We concluded that it would be easy for stalkers, online bullies, or identity thieves to use the information they gathered to harm Glow’s users," Consumer Reports wrote. Some of the information people share with the app includes sexual activity, menstrual cycles, whether they've had an abortion, medications, and other intimate health data.
In July, Glow updated the app to fix the security issues, and emailed users to change their passwords just to be safe. Jennifer Tye, head of U.S. operations at Glow, gave the following statement to the Daily Dot:
We appreciate Consumer Reports bringing to our attention some possible vulnerabilities within our app. The industry only gets stronger with white hats who are looking to protect consumers. Once informed, our team immediately worked to address and correct the potential issues and have since released an updated version of the app. We also informed users via email to consider changing their password as an extra precaution. Of the more than 4 million users across our apps, far less than 0.15% of our users could have potentially been impacted, but there is no evidence to suggest that any Glow data has been compromised.
As the Washington Post notes, Glow and other fitness and activity tracking apps don't fall under HIPAA compliancy, the law that requires confidential handling of medical data you share with clinicians. The Food and Drug Administration doesn't require health tracking app makers to submit their software to the FDA for review.
The lack of oversight apps get while containing the same information a doctor has could be concerning in some cases, like when corporate wellness programs implement fitness tracking or weight loss programs using apps. Fitness apps and wearables are increasingly popular in offices and classrooms, and organizations sometimes require employees or students to wear them.
Earlier this year, deputy director of the Privacy & Data Project at the Center for Democracy & Technology Michelle De Mooy told the Daily Dot that privacy of these tools is sometimes overlooked because of the push to incorporate high-tech resources into wellness programs. "There’s a rush to really invest in technology, especially when schools are concerned...There’s a big push in a lot of schools in the U.S. to embrace technology and STEM, and sometimes what I’ve seen is a rush to do this without really making sure the companies being used to do this kind of thing are really protecting data and privacy."
Fitness and health apps sometimes share information with third-party services, which in turn can use your personal information to serve up advertising. A 2014 study by the Federal Trade Commission found that of 43 health and fitness apps studied, 39 percent of free and 30 percent of paid apps give data to third-party services that are not disclosed in the app's policies.
Glow's flaws have been patched, but the security incident serves as a reminder that our patient information stored anywhere but the doctor's office might not be as secure as we think.