PHI of Thousands of Mobile Health App Users at Risk in Mobile App Security Breach

PHI of Thousands of Mobile Health App Users at Risk in Mobile App Security Breach

A security vulnerability in the back-end server for thousands of mobile apps exposes more than four million protected health records, including prescription details and sensitive chat messages, a new report reveals.

Google Firebase, which is one of the most popular back-end database solutions for mobile apps, “does not secure user data by default, provide third-party encryption tools, or alert developers to insecure data and potential vulnerabilities,” notes the authors of a report by Appthority, a mobile app security firm. “To secure data properly, developers need to specifically implement user authentication on all database tables and rows, which rarely happens in practice. Moreover, it takes little effort for attackers to find open Firebase app databases and gain access to millions of private mobile data app records.”

While this vulnerability affects apps for several different industries and purposes, the health data exposed presents the biggest risk to consumers and providers because health data is more valuable on the black market than other personally identifiable information. Hackers can use that data to file fraudulent insurance claims, and purchase drugs and medical devices. In this case, Appthority says that apps that leaked the most data through this security gap were health and fitness apps.

Appthority recommends that companies that have used the database take steps to ensure that branded apps developed in-house or by a third party recognize the vulnerability, and to be aware of exposure resulting from other public apps downloaded by employees to company-owned or bring-your-own devices, Mobihealth News reports.

AHIMA has provided guidance in the past to help consumers who suspect their mobile health data has been breached. Some of these actions include:

  • Review privacy settings of both the app and your mobile device. Know your options and what the default settings are.
  • Look for a sign of certification such as the TRUSTe® seal, which is used by some vendors to signify they meet cybersecurity guidelines.
  • Utilize password protection and encryption where provided.
  • Record your phone’s identifier somewhere safe. An example is the electronic serial number used for cell phone activation (12-digit number).
  • Don’t share confidential and personal health information through texts, as texting is not secure.
Mary Butler is the associate editor at Journal of AHIMA.