What you need to know about the forces reshaping our industry.


February 27, 2019

Your iPhone may be secretly sharing private health data with Facebook

Daily Briefing

    At least a half-dozen popular smartphone apps have been sharing sensitive health information with Facebook—even if the user isn't connected to Facebook, and often without disclosing their data-sharing practices, according to a Wall Street Journal investigation.

    Learn more about patient-generated health data (PGHD)

    Since the investigation was published on Friday, several of the apps have reduced or eliminated their data sharing.

    These apps have been sending your health information to Facebook

    For the investigation, the Journal tested more than 70 of the most popular smartphone apps in Apple's iOS App Store from categories that may require users to input sensitive information, such as health and financial data. The Journal used software to monitor the apps' communications with Facebook and other third parties.

    The investigation revealed that at least six of the top 15 health and fitness apps sent potentially sensitive information to Facebook.

    Among those apps was Instant Heart Rate: HR Monitor, the most popular heart-rate app on Apple's iOS. The Journal found the app sent a user's heart rate to Facebook immediately after it was recorded.

    Another popular app sending private data to Facebook was the Flo Period & Ovulation Tracker, which claims to have 25 million active users. The Journal found the app told Facebook of when a user was having her period or had informed the app of her intention to get pregnant. This behavior appears to contradict Flo Health's privacy policy, which asserts that "information regarding your marked cycles, pregnancy, symptoms, notes, and other information that is entered by you and that you do not elect to share" to third parties.

    Initially, in a written statement, Flo said told the Journal it sends only "depersonalized" data to Facebook, but the Journal's testing found that the data included a "unique advertising identifier" that could be matched to a user's device or profile.

    The Journal limited its testing to apps in the iOS App Store, rather than in Android's equivalent store, because the software it used in its testing could not monitor communications from Android apps. However Esther Onfroy, co-founder of Defensive Lab Agency, a cybersecurity firm, conducted separate tests that determined the Android version of at least one app tested by the Journal—BetterMe: Weight Loss Workouts—similarly sent users' weights and heights to Facebook.

    The Journal also employed Disconnect Inc., a software company that creates online privacy tools, to retest some of the apps. Disconnect confirmed the Journal's findings.

    Patrick Jackson, Disconnect's chief technology officer, said, "This is a big mess. This is completely independent of the functionality of the app."

    Why are apps sending data to Facebook in the first place?

    It may seem unusual that Facebook is receiving private data from these apps in the first place, as the apps generally don't post the information to Facebook. But the app developers appear to be taking advantage of a Facebook analytics tool that allows them to track their users' activities—and target them with Facebook ads, the Journal reports.

    Typically, apps integrate code called software-development kits (SDKs) that allows developers to integrate certain functions, the Journal reports. There are a variety of SDKs that allow apps to collect data on their users for personalized advertising or to understand their users' behavior, something a Facebook spokesperson said is an "industry-standard practice."

    However, Facebook's SDK includes an analytics tool called "App Events," which allows developers to see trends among their users, the Journal reports. The app can tell Facebook's SDK to record a specific action taken by a user as a "custom app event" that Facebook will capture, which is how a user's private data is sent to Facebook.

    Facebook then uses that data to personalize ads and conduct market research. In a statement, Facebook said some of the data sharing uncovered by the Journal violated its business terms and that it is telling apps flagged by the Journal to stop sending sensitive user information. "We require app developers to be clear with their users about the information they are sharing with us," a spokesperson for Facebook said

    Apps change their practices

    After the Journal began the investigation, a number of apps stopped sending sensitive data to Facebook, including Flo and Breethe Inc, manufacturers of a meditation app of the same name.

    Garner Bornstein, the co-founder of Breethe, said, "Clearly, Facebook's business model is unique and, unfortunately, we were not as diligent in aligning our data management with their privacy policy as we should have been."

    Other apps that have since stopped sending sensitive data to Facebook following the Journal's report include:

    • Glucose Buddy;
    • Instant Heart Rate: HR Monitor; and
    • Lose It!

    A sign of a 'broader problem'

    Generally, the collection of health data by non-health entities is legal in most states, as long as there is sufficient disclosure to users.

    Nonetheless, Zeynep Tufekci, an associate professor at the University of North Carolina, Chapel Hill, said what Facebook is doing is indicative of a broader problem in the United States. "The whole surveillance-industrial complex is corrupt and its mechanisms aren't clear to ordinary people," Tufekci said.

    Following the Journal's report, New York Gov. Andrew Cuomo (D) ordered state agencies to investigate the apps mentioned in the report and asked that federal regulators also look into the matter  (Schechner/Secada, Wall Street Journal, 2/22; Schechner, Wall Street Journal, 2/24 [1]; Schechner, Wall Street Journal, 2/24 [2]).

    Learn more about patient-generated health data

    Learn trends related to patient-generated health data (PGHD), get an outlined vision for connected care, read about different use cases, and get the first steps for how to approach PGHD initiatives in your organization.

    Download Now

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.