Personal data may be at risk with many health and medical apps, a new study suggests.

An in-depth analysis of more than 20,000 health related apps available through Google Play reveals serious privacy issues, and clinicians should be aware of these when discussing the benefits and risks of mobile-health (mHealth) apps with patients, researchers conclude in The BMJ.

“Clinicians and patients alike should be very careful when deciding to use one of the mHealth apps, whether it is for management of health conditions and symptom checking or other purposes such as menstruation tracking,” said Muhammad Ikram, a lecturer at Macquarie University Cybersecurity Hub in Sydney.

“The vast majority of these apps could not only access, but also would potentially share data with other parties,” Ikram said in an email. “A large fraction of them do also access some data that is not necessarily useful for their original purpose (e.g., the mobile phone tower to which a user’s device is connected.”

“Mobile health applications collect and use potentially sensitive user data,” Ikram said. “This can be shared by the app developers, without user consent, to profile users for insights and advertisement, directly leading to privacy concerns. Overall, data collection practices of health apps were far from transparent and secure, and their scope was beyond what is publicly disclosed by app developers in their privacy policies.”

Ikram and his colleagues identified 20,991 mHealth apps designed for Android phones (8,074 medical and 12,917 health and fitness) on Google Play. They focused their in-depth analysis on 15,838 that did not require a download or subscription fee and compared their privacy practices with those of 8,468 randomly selected non-mHealth apps.

While mHealth apps collected less user data than other types of mobile apps, 88 percent could access and potentially share personal data. For example, about two thirds could collect cookies, one third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s location.

While only 4 percent of mHealth apps actually transmitted data (mostly the user’s name and location information), the researchers say this percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps.

Perhaps even more disturbing, 87.5 percent of data collection operations and 56 percent of user data transmissions were on behalf of third-party services, such as external advertisers, analytics, and tracking providers, and 23 percent of user data transmissions occurred on insecure communication channels.

“It is critical that users are aware of the potential privacy risks,” Ikram said. “It is important to weigh the advantages and risks of using an app and decide accordingly whether it is worth sharing a piece of information that might be sensitive with the app or not. Similarly, it is rather important to be careful when granting these apps permissions to access specific categories of data on your mobile. For instance, these apps might not always need to access your list of contacts or your geolocation. Finally, clinicians recommending mobile apps related to their specialization area need to be aware of their potential risks and inform their patients.”

The new analysis is “impressive in the scale of what they’ve done,” said Dr. Seth Martin, an associate professor of medicine at the Johns Hopkins School of Medicine in Baltimore, director of the digital health innovation laboratory at the Ciccarone Center for the Prevention of Cardiovascular Disease, and co-director of the Center for Mobile Technologies to Achieve Equity in Cardiovascular Health at the Johns Hopkins Hospital.

“A key takeaway from this study is that you should be very careful of what you put on your phone and once you do put something on your phone, you should be mindful of the permissions you give,” Dr. Martin said, adding that privacy concerns aren’t the only issues.

“Does the app measure what it claims it measures,” said Dr. Martin, who was not involved in the new research. “What is the validation for those measurements. There have been issues with apps that claim to measure blood pressure. They actually do not do that.”

Another important question: “does the app help you take the actions you need to take to improve your health,” Dr. Martin said.