When it comes to patient health data, strict privacy rules apply in Europe. However, the health app "Ada" reportedly transmitted sensitive data to Facebook and analytics companies in the US.
According to a "heise-online" article and a blog post by IT security expert Mike Kuketz, the application of the Berlin start-up Ada Health on Android smartphones transmits, among other things, the username and health insurance to Facebook. The app also gives Facebook information about whether you smoke, have high blood pressure or have diabetes. Both "Heise online" and Kuketz proved this by analyzes of data traffic.
Security expert advises against the use of the App
The app should help users to interpret disease symptoms. A bot interviews patients about ailments such as headache, loss of appetite and fever. From the answers, software determines which disease might be present and whether the patient should go to a doctor. The app has been downloaded more than five million times on the Google Play Store.
Kuketz, who had already discovered data privacy issues in the health app "Vivy" last year, writes: "It's basically enough to look at the privacy policy in order to avoid the app." Data is already being sent to Facebook before the user even has a chance to read the terms and conditions. In addition, two other trackers had been active during the chat survey by a former "Ada" version.
In addition to Facebook information would also be sent to the analysis companies Amplitude and Adjust. In terms of amplitude, the most sensitive details would be transmitted: the symptoms. The security expert discovered in the data sent his test input "incontinence", which he had entrusted to the app. Only in the Ada version 2.49.1., Which was published after the confrontation of the developers by "Heise", no data transfer to amplitude was to be seen more.
Ada developers are threatening legal action
The "Ada" developers vehemently defend themselves against the allegations. "Third parties without the express consent of users have no access to personal health information," said a spokesman on Friday at the request of SPIEGEL. "Facebook or Amplitude therefore do not know whether a user indicates, for example, to have hypertension or where he is insured."
It will demand "immediate and formal correction and consider further legal action". Meet all the requirements of the General Data Protection Regulation and be a medical device with a CE Class 1 seal of approval. In addition to in-house inspections, the State Office for Health and Social Affairs Berlin also reviewed the app and found "no violations of quality standards and applicable law".
Among other things, "Heise" criticizes the app for sending the so-called Android Advertising ID. This makes it possible to identify users. The reason: Although the advertising ID could be changed, but few users made. This makes it possible to determine the true identity of patients based on additional data such as birthday, place of residence and hobbies.
For about a year, the Techniker-Krankenkasse (TK) supports the app and recommends the virtual symptom check to their customers. At a request of the SPIEGEL, a spokeswoman said: "There will be no exchange of data between Ada and the TK." Basis for the cooperation is the binding observance of the privacy policy and the contractually secured commitment that "no personal information will be disclosed to third parties."
A specialist has checked this statement. The allegations will be dealt with as soon as possible. "We have already requested from Ada Health GmbH a complete disclosure of the data structures," the spokeswoman wrote in an e-mail. "If the allegations are confirmed, we will end the cooperation with Ada immediately."
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/YIVHXZ4ULVEKTCBSNO56RKOWKI.jpg)
