89% of NHS-accredited health apps leaking personal data

An article published in the BMC Medicine journal earlier this month (Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment) reports that 89% of health apps certified as trustworthy by the NHS Health Apps Library “transmitted information to online services” and none “encrypted personal information stored locally.”

Researchers from Imperial College London found that:

  • 66% of apps sending identifying information over the Internet did not use encryption.
  • 20% did not have a privacy policy.
  • 78% of information-transmitting apps with a privacy policy did not describe the nature of personal information included in transmissions.
  • Four apps sent both identifying information and health information without encryption.
  • Two apps appeared to place users at risk of data theft because of security problems.

It is currently estimated that 1.5 billion smartphone users have a health app – a number that is set to treble in the next three years. The Guardian reports that “Earlier this month, the health secretary, Jeremy Hunt, said his ambition was to get 15% of NHS patients routinely reading and adding to their online medical records using smartphones apps within the next 12 months.”

Kit Huckvale, a PhD student at Imperial College London who co-wrote the study, told the BBC that the NHS needed to put more investment into apps:

“[This] study is a signal and an opportunity to address this because the NHS would like to see strategic investment in apps to support people in the future.”

NHS England responded:

“We were made aware of some issues with some of the featured apps and took action to either remove them or contact the developers to insist they were updated. A new, more thorough NHS endorsement model for apps has begun piloting this month.”

For more information on mobile device security, download IT Governance’s free green paper >>