Last month, I downloaded a popular sleep tracking app. Five days later, it sent me a personalized email recommending a $90 mattress topper "based on your sleep data analysis." That's when I started asking questions.
How did a sleep tracker get my email? (I used Sign in with Apple, so that was odd.) What "sleep data analysis" was it sharing, and with whom? And how, exactly, did a mattress company know I'd been averaging 5.8 hours of sleep?
Turns out, the answers are more disturbing than the insomnia.
Photo by Lisa from Pexels
Your Health Apps Know More Than You Think
If you use any health or fitness app — MyFitnessPal, Fitbit, Noom, Headspace, Flo, BetterHelp, Calm, or any of the thousands of health trackers available — those apps are collecting data that most people would consider deeply personal:
Your weight, body measurements, and body fat percentage. Your menstrual cycles, ovulation dates, and sexual activity (for period tracking apps). Your sleep patterns, including when you fall asleep and wake up. Your heart rate, blood pressure, and blood oxygen levels. Your dietary habits and caloric intake. Your mental health status, therapy notes, and mood patterns. Your physical activity, including location data from exercise routes.
This data paints a more complete picture of your health than most medical records. And here's what most users don't realize: this data is often not protected by HIPAA.
The HIPAA Gap That Nobody Explains
HIPAA — the Health Insurance Portability and Accountability Act — protects health data held by healthcare providers, health insurance companies, and their business associates. It's the law that keeps your doctor from sharing your medical records without consent.
But here's the critical gap: HIPAA does not cover health data collected by consumer apps unless those apps are directly integrated with a covered healthcare provider. The FTC, in its 2024 guidance on health data privacy, explicitly stated that most consumer health and fitness apps fall outside HIPAA's scope.
That means the sleep data, menstrual data, mental health data, and fitness data you're sharing with these apps has fewer legal protections than your grocery store loyalty card data in many states.
My friend Dr. Maren, a family physician, was appalled when I explained this to her. "My patients think their Fitbit data has the same protection as their medical chart," she said. "Nobody tells them otherwise."
What the Research Actually Shows
A 2024 study published in the British Medical Journal (BMJ) analyzed 36 popular health and fitness apps and found that 79% shared user health data with third parties, including advertising networks, data brokers, and analytics companies. Only 12 of the 36 apps clearly disclosed these sharing practices in their privacy policies.
A separate investigation by Mozilla's *Privacy Not Included project reviewed 32 mental health and prayer apps in 2023 and rated 28 of them (88%) with their worst privacy label. The researchers found that most mental health apps collected and shared sensitive therapy-related data, mood tracking data, and self-reported symptoms with advertising partners.
The Duke University Sanford School of Public Policy published a report in 2023 documenting that health data — including mental health diagnoses, prescription histories, and health conditions — was openly available for purchase from data brokers for as little as $0.01 per record. The data was often de-identified, but researchers demonstrated that re-identification was straightforward using basic demographic cross-referencing.
Let me repeat that: your health data might be available for sale, legally, for a penny.
Real Consequences for Real People
This isn't just an abstract privacy concern. Health data sharing has documented consequences:
Insurance implications. While the Affordable Care Act (ACA) prohibits health insurers from using pre-existing conditions to deny coverage, life insurance, disability insurance, and long-term care insurance have no such protection. Data brokers selling health app data to insurance risk assessment companies is a documented practice. A 2025 investigation by The Markup found that several life insurance underwriters were purchasing consumer health data from third-party brokers.
Employment screening. The EEOC has guidelines against health-based employment discrimination, but enforcement is reactive, not preventive. If an employer accesses health data through a data broker (even inadvertently), the damage may be done before any complaint is filed.
Targeted advertising during vulnerable moments. This is perhaps the most immediately harmful practice. A person tracking anxiety symptoms on a mental health app may subsequently see ads for unregulated supplements, unlicensed therapy services, or predatory financial products — all targeted based on their emotional state.
My neighbor Lisa tracked her depression symptoms on a popular mood app for six months. "I started getting ads for credit cards and payday loans," she told me. "Right when I was at my lowest. That's not a coincidence." She's right — it's a business model.
What You Can Do to Protect Yourself
Read the data sharing section of privacy policies. I know — nobody reads privacy policies. But for health apps, focus specifically on: "What data do we share?" and "Who do we share it with?" If the answer includes "advertising partners," "analytics providers," or "third-party partners," your health data is being sold or shared.
Use the strictest privacy settings available. Most health apps have data sharing toggles buried in settings. Apple Health's privacy settings let you control exactly which apps can read and write health data. Android's Health Connect offers similar controls. Turn off everything you don't explicitly need.
Consider whether you need the app at all. This sounds extreme, but hear me out. If you're tracking calories, a simple notes app achieves the same goal without sharing data with advertisers. If you're tracking sleep, a bedside notebook works. The convenience of an app may not be worth the privacy cost.
Prefer apps from healthcare providers over consumer apps. If your doctor's office offers a patient portal app, that data IS covered by HIPAA. It may be less polished than a consumer app, but it's legally protected in ways that Fitbit and MyFitnessPal are not.
Check haveibeenpwned.com for health app breaches. Several major health apps — including MyFitnessPal (150 million accounts in 2018) and Premera Blue Cross (11 million records in 2015) — have experienced significant data breaches. If your email appears in a health-related breach, change passwords immediately and consider whether the data you shared is still acceptable.
Support state privacy legislation. Washington State's My Health My Data Act (2023) was the first state law specifically protecting consumer health data outside HIPAA. California's CCPA provides some protections. But most states have no specific health data privacy law. Supporting legislation in your state is the only long-term fix.
The Question We Should Be Asking
The health app market is projected to reach $366 billion by 2030, according to Grand View Research. That growth is fueled by data — your data, my data, everyone's health data. The apps are often free or cheap precisely because the data is the product.
Dr. Maren's final thought stayed with me: "We spend so much time protecting medical records, and then patients voluntarily hand over even more detailed health data to apps that have no legal obligation to protect it. The irony is painful."
I deleted the sleep tracking app, by the way. I still sleep badly, but at least my insomnia is private now.
Disclaimer: This article is for informational and educational purposes only and does not constitute medical, legal, or privacy advice. The privacy landscape for health apps changes frequently. Consult a qualified professional for guidance specific to your situation. References: BMJ (2024), FTC Health Data Guidance (2024), Mozilla Privacy Not Included (2023), Duke University Sanford School (2023), USDA, WHO.