Misleading & Inaccurate Claims in TechCrunch Article and ExpressVPN Report Regarding Privacy & Security for Opioid Addiction Recovery Apps
By Eric Gastfriend, CEO, DynamiCare Health
As an organization that helps people with recovery from opioid addiction, we place a great value on privacy and security. People seeking support for addiction should be able to rest assured that their information will be kept confidential and secure. There are rigorous laws and regulations in place to protect patient privacy and data security, such as HIPAA and 42 CFR pt 2. DynamiCare Health is in compliance with these laws and regulations, and we take pride in how rigorously we handle privacy and security. We have a HIPAA Seal of Compliance from the Compliancy Group and we have passed multiple rigorous 3rd-party risk assessments on behalf of health plans & systems we work with.
Unfortunately, a report by ExpressVPN made inaccurate and misleading claims on how the makers of recovery support apps handle sensitive data, which were then covered and repeated in TechCrunch. ExpressVPN is a private corporation using this report to promote its VPN product, not a respected consumer advocacy organization. It appears that TechCrunch repeated the claims made in the ExpressVPN report without fact checking, and certainly without reaching out to the organizations involved for comment. We are disappointed in the lack of analytical and journalistic rigor shown by these organizations. Such baseless attacks can have real negative consequences if they scare people away from seeking support or treatment based on misinformation.
We have reviewed the ExpressVPN report and include a statement below addressing the concerns and issues raised by the ExpressVPN report point-by-point. However, the article and the report go beyond our one organization and app, making broad misleading statements about our industry as a whole. Therefore, we wanted to speak out on behalf of the digital health / telehealth organizations named in the report to clearly voice our objections to the report and article.
Our objections, in order of importance, are as follows:
The authors use insinuation to imply wrongdoing where none exists. For example, the TechCrunch article states that “the actions could be in breach of 42 CFR Part 2,” although there is no reason provided to expect that.
The report and article lack context. The report implies that apps are misusing user data by utilizing GPS location data or Bluetooth connections, when those permissions are actually needed to support key app functionality like appointment check-ins and testing device integrations. The report implies that any sharing of data is inappropriate, whereas in fact sharing data can be necessary for providing high-quality care, and is acceptable when there are appropriate security measures in place along with legal agreements to protect confidentiality, such as a HIPAA BAA.
The report makes meaningless claims. For example, the ExpressVPN report makes the supposed accusation that “5 apps access the phone number.” Why should an addiction treatment provider/app not know the patient’s phone number? In the process of supporting recovery, any tech-enabled provider will have much more sensitive information than the items listed in the report, such as date of birth, substance testing results, and clinical notes, and will treat that information with strict confidentiality.
These pieces imply that app-based programs are less confidential than in-person programs. The report seems to find fault with all 10 apps it reviewed. Generally speaking, app-based programs are better at protecting confidentiality. App-based programs don’t have the risk that in-person programs have that someone might see you and recognize you. Furthermore, as technology-first companies, we hold ourselves to higher standards and vetting, as compared to in-person providers that haphazardly adopted telehealth during COVID and often have less stringent data safety practices in place. Health plans rigorously vet our data security through 3rd-party risk assessments and audits.
The authors should have reached out to the organizations named for comment. We could have easily explained our privacy and security practices, and the reasons why we collect certain types of data.
We welcome scrutiny and promotion of privacy and security issues. We certainly want to know if there are gaps where our security can be improved, which is why we run periodic security audits, risk assessments, and penetration tests. However, privacy activism should come from a place of doing what’s best for the patient or end-user, rather than promoting/selling a VPN product that will “protect” patients from exposing their phone number to their addiction treatment provider.
Point-by-Point Explanation from DynamiCare Health
Regarding use of the Android Advertising Identifier (AAID)
We do not directly use or store the AAID anywhere in our application. This data is not stored in the application nor in our database. We use only the vital Firebase and Google Crashlytics SDKs from Google, which unfortunately provide no way to opt out of their use of these identifiers. Of course, Google already knows an Android user’s AAID, so we do not see a security concern with this issue. We at DynamiCare are firmly committed to ensuring that our customers’ data stays private and secure.
As reported in the ExpressVPN report, we also do not access phone numbers, telephony information, IMEI, IMSI, serial numbers, network information, or hardware/MAC addresses. We also do not read the list of installed apps nor device logs. Finally, we do not determine calling information, request the initiation of phone calls, read/modify contacts in the address book, nor do we request calendar permissions. We have no need or desire for this information. We abide by the minimum necessary information policies to exceed HIPAA guidelines. We do not send any information about users to advertisers or third parties.
Regarding use of fine and coarse location
A core feature of our application is the ability to earn rewards for attending appointments, which requires us to check the location of the user for the duration of their appointment. We do not track the user’s location outside of these timeframes and any data about the user’s location is securely disposed of automatically after the appointment has ended.
Regarding use of Bluetooth connections
Another feature of our application is the ability to take remote breathalyzer tests. We utilize a wireless breathalyzer, which requires a Bluetooth connection between the device and the phone to transmit Blood Alcohol Content (BAC) data between the device and the phone.
This is the full extent of our use of Bluetooth capabilities in our application. We do not attempt to use any Bluetooth functionality to track the user or discern any extraneous information about them.
Regarding use of audio/video recording
When taking remote substance tests with our application, we require that users take a selfie video of themselves so that our staff can confirm their identity and their completion of the substance test. We also ask users to take a “profile photo” so that we can confirm their identity and aid them in reaching and maintaining abstinence.
Substance testing videos are securely disposed of 7 days after the substance test has been reviewed by our internal staff, allowing time for audit if necessary.