MyFitnessPal Data Breach - Digging Deeper

Posted by: Ellen Schuster, BA, MS on Wednesday, April 18, 2018

MyFitnessPal Data Breach - Digging Deeper

Article originally appears in the April 12, 2018 issue of the SNEB eCommunicator.

Will the recent data breach of MyFitnessPal (see first citation below) be an anomaly? Not likely. Read about the ‘Wild Wild West’ of mobile health app data security as well as good consumer tips. The Food and Drug Administration (FDA) exercises enforcement over medical device-type mobile apps (more detail @ https://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/ucm368744.htm) and the Federal Trade Commission (FTC) deals with data privacy and security as well as misleading app claims (more detail @ https://www.fda.gov/MedicalDevices/DigitalHealth/MobileMedicalApplications/ucm368744.htm). Note: This article doesn’t address fitness wearables and other tracking devices - another scary topic!

 **MyFitnessPal data breach
In February 2018 as many as 150 million MyFitness accounts were breached - the breach included emails and user names but not financial info or Social Security numbers. Account holders were instructed to change passwords.
https://www.theverge.com/2018/3/29/17177848/under-armour-myfitnesspal-data-breach-150-million-accounts-security

**MyFitnessPal data hack: it could have been worse It appears that Under Armour//MyFitnessPal used good data security procedures. MyFitnessPal isn’t the only app of this type to be breached - recently, Strava, a running app revealed locations of secret military bases.
https://slate.com/technology/2018/03/myfitnesspal-hack-under-armour-data-breach.html

**Mobile health and fitness apps: what are the privacy risks? (PDF) A comprehensive overview of mobile app privacy risks which include the info they may collect on individuals, sharing of data with third parties especially if the app is free and depends on advertising and poor security. Unfortunately there is little to no regulation in the marketplace. It is up to the consumer to read the app policy before downloading/accepting it, looking at settings in the app to protect privacy and see what permissions the app asks for so you can turn off ones you don’t want. Tips include, if possible, trying the app without inserting personal info before deciding to download it.
https://www.privacyrights.org/printpdf/67502

**Smartphone health apps pose privacy risks Summary of the Privacy Rights Clearinghouse 2013 study (see citation above) that found 26% of free apps and 40% of paid versions had no privacy policies on the app or online.
https://www.consumerreports.org/cro/news/2013/09/health-apps-pose-privacy-risks/index.htm

**Mobile health apps put the data of millions at risk A 2016 European study found that 80% of Android health apps don’t meet standards set to avoid misuse/dissemination of data.
https://www.sciencedaily.com/releases/2018/02/180220102418.htm

**A deep dive into the privacy and security risks for health, wellness and medical apps Although the FDA doesn’t regulate health and wellness apps, the Federal Trade Commission would look at app deceptive practices. This article gives examples of how users’ data is used and privy to misuse.
https://iapp.org/news/a/a-deep-dive-into-the-privacy-and-security-risks-for-health-wellness-and-medical-apps/

**Mobile health app developers: FTC best practices April 2016 FTC best practices for mobile health developers. Worth a read even if you don’t develop apps including ‘gems’ like using plain language in privacy agreements (if only) and asking how third-parties protect the data they receive.
https://www.ftc.gov/tips-advice/business-center/guidance/mobile-health-app-developers-ftc-best-practices