Mental health apps promise confidential, affordable therapy at your fingertips. Millions of people have trusted platforms like BetterHelp, Cerebral, and Talkspace with their most vulnerable thoughts, diagnoses, and treatment histories. But a wave of FTC enforcement actions, security research, and court cases has revealed an uncomfortable truth: many of these apps have been sharing your most sensitive data with advertisers, social media companies, and data brokers. Here is what you need to know about the privacy risks lurking inside mental health apps and how to protect yourself.
The Scale of the Problem
Mental health apps have exploded in popularity, with tens of millions of users worldwide relying on them for therapy, mood tracking, crisis support, and psychiatric medication management. But the privacy track record of this industry is alarming.
Mozilla's Privacy Not Included research found that 59 percent of the top mental health and prayer apps investigated received warning labels for failing to protect user privacy and security. A separate academic study examining 25 popular Android mental health apps found that every single app contained at least one undisclosed tracker absent from its privacy policy, and 68 percent failed to disclose at least half of the trackers embedded in their software.
In May 2026, security researchers identified more than 1,500 vulnerabilities across several widely downloaded Android mental health apps, with dozens classified as high severity. This means therapy notes, mood logs, and even self-harm indicators could potentially be exposed to attackers.
Apps That Have Been Caught
Several of the biggest names in digital mental health have faced enforcement actions, lawsuits, or public revelations about how they handle user data.
BetterHelp
In 2023, the FTC issued a landmark enforcement action against BetterHelp, one of the largest online therapy platforms in the world. The FTC found that BetterHelp had shared users' sensitive mental health information, including data from intake health questionnaires, with Facebook, Snapchat, Pinterest, and Criteo for advertising purposes, despite repeatedly promising users that their data would remain private.
BetterHelp was ordered to pay $7.8 million in consumer refunds and was permanently banned from sharing health data for advertising. The order also requires BetterHelp to implement a comprehensive privacy program and direct third parties to delete all previously shared consumer health data.
Cerebral
Online psychiatry startup Cerebral disclosed that tracking pixels embedded in its platform had been sharing patient data with Meta, TikTok, and Google for over three years before the issue was discovered through an internal review. The exposed data included patient names, birth dates, IP addresses, insurance information, and responses to mental health self-assessments.
Mozilla's research found that Cerebral set a record among mental health apps by loading 799 trackers within the first minute of downloading the app. Cerebral's data-sharing practices are part of a broader pattern the FTC has targeted among telehealth companies, following similar sanctions against GoodRx, which was fined $1.5 million for sharing prescription and health data with advertisers.
Your Therapy Data Can End Up in Court
In a chilling case reported in 2026, a former hospital employee who used Talkspace for therapy had years of private therapy messages, including text, video, and audio sessions, subpoenaed and turned over as court evidence in a workplace discrimination lawsuit. Talkspace's data retention policies meant the company still held the full record of her sessions. Unlike a traditional therapist bound by state licensing boards and strict confidentiality rules, digital therapy platforms may store and disclose your data under circumstances that would surprise most users.
Talkspace
Talkspace holds one of the largest mental health data banks in the world, containing over 140 million message exchanges between therapists and patients. Reports have raised concerns that the company has been training AI therapy tools on these conversations. A class-action lawsuit alleged that Talkspace embedded TikTok's fingerprinting software on its website, transmitting visitor data, including device details, geographic information, and medical information about minors, to TikTok before users even interacted with the cookie consent banner.
Why Most Mental Health Apps Are Not Covered by HIPAA
Many people assume that any app handling mental health data must comply with HIPAA, the federal law that governs medical privacy. This is a dangerous misconception. HIPAA only applies to covered entities such as healthcare providers, health plans, and healthcare clearinghouses, along with their business associates.
A mental health app that you download directly from the App Store or Google Play, without a prescription or referral from your doctor, is almost certainly not covered by HIPAA. This means the app developer can legally share your therapy data with advertisers, there may be no obligation to notify you of a breach, and terms of service can change at any time to alter how your data is used. The result is a regulatory gap where your diagnoses, therapy conversations, and crisis moments can be monetized with few legal safeguards.
What Data Mental Health Apps Collect
The data collected by mental health apps goes far beyond what most users expect:
- Intake questionnaires: Answers about symptoms, diagnoses, trauma history, substance use, and suicidal ideation
- Therapy session content: Text messages, audio recordings, and video sessions with therapists or AI chatbots
- Mood and behavior logs: Daily mood entries, sleep patterns, anxiety scores, and journaling content
- Prescription and payment data: Medications, dosages, insurance details, and billing history
- Device and location data: IP addresses, GPS coordinates, device identifiers, and browsing activity
The Real-World Consequences
When mental health data reaches advertisers, the effects can be immediate and distressing. Someone using a mental health app to seek help for depression may start seeing targeted advertisements for antidepressants, even if they never expressed interest in medication. Data broker profiles enriched with mental health signals can influence insurance underwriting, employment background checks, and even housing decisions. The data you share in a moment of vulnerability can follow you for years.
FTC Enforcement Is Increasing
The FTC has made digital health privacy a priority. Beyond the BetterHelp action, GoodRx was fined $1.5 million in 2023 for sharing prescription data with Facebook and Google. The FTC also expanded its Health Breach Notification Rule in 2024 to explicitly cover health apps and wearables. From 2023 through 2025, telehealth platforms and digital health apps collectively paid over $100 million in penalties and settlements for privacy violations tied to tracking pixels. These enforcement actions signal a shift, but they are reactive: they address violations after your data has already been exposed.
How to Protect Your Mental Health Privacy
1. Evaluate Before You Download
Before installing any mental health app, check its track record:
- Look up the app on Mozilla's Privacy Not Included guide for independent privacy ratings
- Read the privacy policy, paying close attention to sections on third-party sharing, advertising, and data retention
- Check whether the app has faced any FTC actions, lawsuits, or data breaches
- Favor apps that are explicitly HIPAA-compliant or provided through your healthcare provider
2. Minimize Data and Lock Down Permissions
- Avoid filling in optional fields on intake questionnaires
- Use a dedicated email address not linked to your real identity when creating accounts
- Set location access to "Never" and deny permissions for contacts and microphone unless essential
- Disable background app refresh and turn off personalized advertising at the device level
3. Choose Privacy-Respecting Alternatives
Not every mental health app treats your data carelessly. Mozilla gave its "Best Of" privacy citation to apps like PTSD Coach (developed by the U.S. Department of Veterans Affairs) and the AI chatbot Wysa, which stood out for doing privacy and security right. Look for apps that store data locally, use end-to-end encryption, and have transparent data practices.
4. Request Data Deletion
If you stop using a mental health app, do not just delete it from your phone. First:
- Go into the app's settings and request deletion of your account and all associated data
- Follow up by email to confirm the deletion was processed
- Check whether your state's privacy law gives you a right to delete that the company must honor
Protect Your Broader Digital Footprint
Even if you lock down every mental health app on your phone, data brokers may already hold personal information about you collected from hundreds of other sources: public records, social media, purchase histories, and data breaches. When this information is combined with leaked or shared mental health data, it creates a detailed profile that can be used for targeted advertising, discrimination, or identity theft.
PrivacyOn removes your personal information from over 100 data broker and people-search sites, continuously monitors for new listings, and scans the dark web for exposed data. By reducing your digital footprint, PrivacyOn makes it harder for anyone to connect leaked mental health data back to your real identity. Plans start at $8.33/month with family coverage for up to 5 people.
Your mental health data deserves the same confidentiality you would expect from a therapist's office. Until regulations catch up, protecting yourself starts with understanding the risks and taking deliberate steps to limit your exposure.