SecureMac, Inc.

Checklist 285: Keeping Your Health Data Private

July 1, 2022

Health app data and your privacy. How to keep your health data private. How to check who you’ve shared Health data with.

Checklist 285: Keeping Your Health Data Private

On this week’s Checklist:

  • Keeping your health data private
  • Checking permissions in Apple’s Health app

Why your health data is at risk

We talk a lot about data privacy on The Checklist. But there’s one kind of data that’s more sensitive than most: health data. The National Cybersecurity Alliance explains why: 

Health data is very personal and may contain information we wish to keep confidential (e.g., mental health records) or potentially impact employment prospects or insurance coverage (e.g., chronic disease or family health history).

If you’ve listened to The Checklist once or twice, you know that our data — health data included — is at risk. Unfortunately, tech companies, app developers, and data brokers love to buy, sell, and trade user data. The reason is simple: money. It’s extremely profitable to serve highly targeted ads to users, sell marketing profiles to advertisers, offer businesses insight into which ads are likely to generate the best ROI, and so forth.

It’s often annoying, it’s sometimes infuriating, yet it’s a fact of modern digital life. But when companies scoop up health data along with all of the other data they collect, it can be downright invasive — or even dangerous.

Keeping your health data secure

The good news is that there are some things you can do to keep your private health data, well, private:

  1. Use a VPN or Tor

    If you use the Internet to research a health issue, ISPs and websites can track your activity. VPNs and proxies hide your IP address from prying eyes. You can also use tools like HTTPS Everywhere to make sure your connections with websites are more secure by default.

  2. Browse privately

    Websites track and profile users with tracking cookies. Protect yourself by using your browser in its private browsing mode (Safari and Firefox are your best bets). A good security tool will usually come with a cookie cleaning tool to catch any stray cookies that somehow make it into your cache (yes, it’s been known to happen, even with private browsing.

  3. Search safely

    Not all search engines are created equal. Some of them, including, ahem, the one whose name has become synonymous with what it does, have pretty sketchy records on user privacy. For sensitive stuff, use the more privacy-friendly search engines like DuckDuckGo or Brave Search.

  4. Take secure notes

    If you’re taking notes about something sensitive, don’t just leave it in plaintext on your system. Take advantage of those Secure Notes features offered by password managers or iCloud Keychain.

  5. Use secondary email accounts

    Assuming you trust your healthcare provider to keep confidential information secure, you still can still take some steps to make sure your medical correspondence is more private. Use a secondary email account that isn’t connected to your identity elsewhere online (encrypted services like ProtonMail or Tutanota are ideal).

  6. Use burners or secondary numbers for calls

    If you have to call your doctor, remember that calls get logged. You can protect your privacy by using a secondary number not connected to your main number (e.g., through Google Voice). If you have to talk about something really sensitive, you can also buy a cheap, prepaid “burner” phone for short-term use, and simply get rid of it when you’re done.

  7. Only share health data with trustworthy apps

    Many apps collect data. Then they share it, sell it, or leak it. Don’t give your health data to just any app. Look for companies with a stellar reputation for privacy and security. Only use apps that use end-to-end encryption to transmit data — that way, the developer never has access to your data, and can’t lose it or give it away.

  8. Restrict Location access and turn off tracking

    Mobile apps collect a lot of location information about their owners. That information can reveal details of your doctor’s visits if anyone gets a hold of it. Lock down location data on iOS by going to Settings > Privacy > Location Services to see which apps have location access. Best practice? Don’t give an app your location unless it really needs it to function (e.g., ride hailing apps, Maps, food delivery services). And if you do grant an app location access, use the option that only shares location data when the app is in use.

    Ad tracking is another big source of data collection on mobile devices. On iOS, you can disable it completely. Go to Settings > Privacy > Tracking. Then, toggle off the button that says Allow Apps to Request to Track.

  9. Consider day-of-appointment privacy

    If you want your actual visit to the doctor to remain private, you can take some advanced precautions the day of your appointment. Check out Checklist 188: Don’t Let Your iPhone Give You Away for more details. In addition, consider telling services like Uber or Lyft (if that’s how you’re arriving) to drop you off near your medical practitioner, rather than right at the door. If you’re traveling for a medical procedure, remember that ticket booking platforms store data too, so don’t give your trip a name related to the purpose of your travel. Lastly, if you’re concerned about credit card security and/or your payment paper trail, consider paying in cash or using a prepaid debit card if you know how much a procedure will cost, and if your doctor or clinic’s billing department accepts that form of payment.

The Health app and your data

The reason everyone is so concerned with health data these days is, as you can probably guess, a recent Supreme Court ruling. 

Health data privacy should be everyone’s concern, of course. After all, who knows how a potential employer might react if they learned that you visited a mental health provider for an extended period — or how a licensing body might view your time in rehab.

But this week, as most readers are no doubt aware, everyone is talking about the SCOTUS decision to overturn Roe vs. Wade, the landmark case which made abortion a protected medical procedure in the United States for 50 years. 

The consequences were instant: A number of U.S. states had “trigger laws” that went into effect when the ruling came down, making abortion illegal in some places overnight.

The reversal of Roe vs. Wade has put renewed focus on cycle tracking and data sharing in the Health app. As a recent piece from Apple Insider puts it:

Cycle tracking is a feature built into the Apple Health app, and there are plenty of reasons why it shouldn’t be handed over to third-party data brokers. (…)

Apple hosts a lot of sensitive information within its cycle tracking feature in the Health app. Data points like tracked menstruation cycles, pregnancy test results, and other personal data can be found in the cycle tracking section. This information is highly sensitive and shouldn’t be shared freely with third parties without express permission.

Who has access to your health data?

In and of itself, Apple’s Health app is considered extremely secure. And Apple has a good track record on handling sensitive user data. However, it is possible for users to grant Health data access to third-party apps and devices — and unfortunately, those actors may be less reliable than Apple.

For this reason, now is a great time to review who has access to your Health data. To do this, go to Settings > Health > Data Access & Devices. Here you’ll see a list of all of the apps and devices you’ve given access to your Health data. If you tap an entry, you can see exactly what data it can access. 

If you see anything here that you’re not absolutely sure of, it would be prudent to revoke access immediately. For more information, see Apple Insider’s excellent piece entitled “How to Ensure Apple Health Cycle Tracking Data Stays Private”. 

Do you have a privacy question for The Checklist? Don’t be shy, please write to us and ask!

Get the latest security news and deals