From telehealth platforms and mental health services to medication trackers and symptom checkers, health apps have become a routine part of managing our well-being. But these apps often collect extraordinarily sensitive information — your diagnoses, prescriptions, therapy sessions, reproductive health data, and more — and many share it with advertisers, data brokers, and tech companies without meaningful consent. Here is what you need to know to protect yourself.
The Privacy Problem With Health Apps
A BMJ analysis of nearly 16,000 free health apps found that 88% had the capability to share personal data with third parties such as Google and Facebook. Unlike traditional healthcare providers, the vast majority of consumer health apps are not covered by HIPAA, the federal law that governs medical privacy. This means that the symptom checker on your phone, the meditation app you use before bed, and the period tracker in your pocket operate in a regulatory gray zone where your most intimate health details can be collected, sold, and monetized with few restrictions.
The data these apps collect goes far beyond what most people expect:
- Medical conditions and symptoms you search for or log
- Prescription medications and dosage schedules
- Therapy session notes and mental health assessments
- Reproductive health data including cycle tracking, fertility indicators, and pregnancy status
- Biometric data such as heart rate, blood pressure, and blood glucose readings
- Behavioral patterns including mood logs, sleep data, and substance use tracking
How Health Apps Share Your Data
Tracking Pixels and Advertising SDKs
Many health apps embed tracking pixels from Meta (Facebook), Google, and other advertising platforms directly into their websites and apps. These pixels silently transmit your activity — including the health conditions you research, appointments you book, and prescriptions you fill — back to ad networks. An investigation by The Markup found that dozens of telehealth startups were sending sensitive health information to Big Tech companies through these trackers, often without patients' knowledge.
From 2023 to 2025, hospitals, telehealth platforms, and digital health apps paid over $100 million in penalties and settlements for privacy violations tied to tracking pixel technologies. Advocate Aurora Health paid $12.25 million for exposing 3 million patients' data via Meta Pixel, while Mass General Brigham settled for $18.4 million over cookie and pixel tracking violations.
Third-Party Data Sharing
Health apps routinely share data with analytics companies, advertising networks, and data brokers. This data can be combined with other information about you — your browsing history, purchase records, location data — to build detailed health profiles that are bought and sold without your involvement or consent.
Mental Health Apps Are Among the Worst Offenders
The FTC found that BetterHelp, one of the largest online therapy platforms, shared users' mental health information — including data from intake questionnaires — with Facebook, Snapchat, Pinterest, and Criteo for advertising purposes. BetterHelp was ordered to pay $7.8 million in consumer refunds. Similarly, Cerebral, a mental health startup, discovered that tracking pixels had been sharing client data with third-party platforms for over three years before the exposure was caught. If even major therapy platforms mishandle your data, smaller apps deserve even greater scrutiny.
The HIPAA Gap: Why Most Health Apps Are Not Protected
Many people assume that any app dealing with health information must comply with HIPAA. This is a dangerous misconception. HIPAA only applies to covered entities — health care providers, health plans, and health care clearinghouses — and their business associates. A consumer health app that you download on your own, without a doctor's prescription or involvement, is almost certainly not covered by HIPAA.
This means:
- App developers can share your health data with advertisers and data brokers legally
- There is no federal requirement to notify you if your health app data is breached
- Terms of service can be changed at any time, altering how your previously collected data is used
- Your health data can be sold to insurance companies, employers, and other third parties
The FTC has stepped in to fill some of this gap. In 2023, GoodRx was fined $1.5 million and banned from sharing user health data with advertisers after the FTC found the prescription discount company had been monetizing sensitive health data for years. The FTC also updated its Health Breach Notification Rule in 2024 to explicitly cover health apps and wearables, requiring them to notify users when their data is breached or improperly shared.
New Laws Are Starting to Help
Recognizing the HIPAA gap, states and federal legislators have begun acting:
- Washington My Health My Data Act (2024): The first state law specifically designed to protect consumer health data outside of HIPAA. It requires consent before collecting health data, mandates clear privacy policies, and gives consumers a private right of action to sue over violations. Its definition of "consumer health data" is intentionally broad, covering data from apps, wearables, and even certain retail purchases.
- HIPRA (Health Information Privacy Reform Act): Introduced in the U.S. Senate in November 2025 by Senator Bill Cassidy, this proposed federal law would hold technology companies that collect health-related data to the same privacy and security standards as HIPAA-regulated entities — potentially closing the gap for health apps and wearables nationwide.
- State comprehensive privacy laws: As of 2025, 19 states have enacted comprehensive privacy laws, many with specific provisions for sensitive health data that require opt-in consent before collection.
Check Your State's Protections
Privacy laws vary significantly by state. Washington, Connecticut, Nevada, and several other states have enacted specific protections for consumer health data. Check whether your state has health data privacy protections beyond HIPAA — your rights may be stronger than you think. The FTC's Health Breach Notification Rule also applies nationwide to health apps and connected devices.
How to Protect Your Health Data
1. Audit Your Health Apps
Start by reviewing every health-related app on your phone. For each one, ask:
- Do I still use this app? Delete any health apps you no longer need — they may still be collecting data in the background.
- What data does it collect? Check the app's privacy nutrition label in the App Store or Google Play.
- Who does it share data with? Read the privacy policy, focusing on sections about third-party sharing and advertising.
2. Minimize Permissions
Health apps often request far more access than they need:
- Set location access to "Never" or "While Using" — most health apps do not need your GPS coordinates
- Deny access to contacts, photos, and microphone unless specifically required for the app's core function
- Disable background app refresh for health apps to prevent silent data collection
- Turn off Bluetooth and Wi-Fi scanning permissions where not essential
3. Opt Out of Data Sharing and Advertising
- Look for "Privacy," "Data Sharing," or "Advertising" settings within each health app and opt out of everything you can
- Disable personalized advertising at the device level (Settings > Privacy on both iOS and Android)
- Opt out of research programs and data-sharing partnerships unless you have specifically reviewed what data is shared
4. Use Privacy-Respecting Alternatives
Not all health apps treat your data the same way. Prioritize apps that:
- Store data locally on your device rather than in the cloud
- Offer end-to-end encryption for synced data
- Have a clear, concise privacy policy that explicitly states they do not sell or share data with advertisers
- Are open-source, allowing independent security review
- Use Apple HealthKit or Google Health Connect as intermediaries, which have stricter data-sharing rules than most third-party apps
5. Secure Your Accounts
- Use a strong, unique password for every health app account — a password manager makes this manageable
- Enable two-factor authentication wherever it is available
- Use a dedicated email address for health services, separate from your primary email
- Review connected apps and services regularly and revoke access for anything you no longer use
6. Be Cautious With Telehealth Platforms
Before your next virtual appointment:
- Confirm whether the telehealth platform is HIPAA-compliant — platforms provided through your doctor or insurer are more likely to be covered
- Ask how session recordings or transcripts are stored and who can access them
- Check whether the platform uses tracking pixels from Meta, Google, or other ad networks
- Use the platform's app or website directly rather than clicking links from ads, which may include additional tracking parameters
Protect Your Complete Digital Privacy
Health app data is just one piece of the puzzle. Data brokers aggregate your personal information from hundreds of sources and make it searchable by anyone online. When combined with leaked health data, this can fuel targeted scams, discrimination, or identity theft.
PrivacyOn removes your personal information from 100+ data broker sites, monitors the dark web for exposed data, and provides 24/7 monitoring to catch new listings. By reducing your digital footprint, PrivacyOn makes it harder for bad actors to connect your health data back to your real identity. With family plans covering up to 5 people and pricing starting at just $8.33/month, it is one of the most effective steps you can take to protect your health privacy.