Personal data may be at risk with many health and medical apps, a new study suggests.

An in-depth analysis of more than 20,000 health related apps available through Google Play reveals serious privacy issues, and clinicians should be aware of these when discussing the benefits and risks of mobile-health (mHealth) apps with patients, researchers conclude in The BMJ.

“Clinicians and patients alike should be very careful when deciding to use one of the mHealth apps, whether it is for management of health conditions and symptom checking or other purposes such as menstruation tracking,” said Muhammad Ikram, a lecturer at Macquarie University Cybersecurity Hub in Sydney.

“The vast majority of these apps could not only access, but also would potentially share data with other parties,” Ikram said in an email. “A large fraction of them do also access some data that is not necessarily useful for their original purpose (e.g., the mobile phone tower to which a user’s device is connected.”

“Mobile health applications collect and use potentially sensitive user data,” Ikram said. “This can be shared by the app developers, without user consent, to profile users for insights and advertisement, directly leading to privacy concerns. Overall, data collection practices of health apps were far from transparent and secure, and their scope was beyond what is publicly disclosed by app developers in their privacy policies.”

Ikram and his colleagues identified 20,991 mHealth apps designed for Android phones (8,074 medical and 12,917 health and fitness) on Google Play. They focused their in-depth analysis on 15,838 that did not require a download or subscription fee and compared their privacy practices with those of 8,468 randomly selected non-mHealth apps.

While mHealth apps collected less user data than other types of mobile apps, 88 percent could access and potentially share personal data. For example, about two thirds could collect cookies, one third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s location.

While only 4 percent of mHealth apps actually transmitted data (mostly the user’s name and location information), the researchers say this percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps.

Perhaps even more disturbing, 87.5 percent of data collection operations and 56 percent of user data transmissions were on behalf of third-party services, such as external advertisers, analytics, and tracking providers, and 23 percent of user data transmissions occurred on insecure communication channels.