The Apps Selling Your Health Data — Named and Explained

When you log a missed period, describe a panic attack to a therapy chatbot, or track your prescription refill, you believe you are doing something private. The app on your phone feels like a personal journal. In reality, for a large number of the most popular health and wellness applications on the market, that information is a commodity — packaged, transmitted, and sold to advertising networks, data brokers, and pharmaceutical companies within seconds of you entering it.

This is not speculation or fear-mongering. It is documented by FTC enforcement actions, academic research, investigative journalism, and the companies' own privacy policies. The difference between what users believe they are consenting to and what actually happens with their data is one of the largest ongoing consumer protection failures in the digital age. Understanding which apps have been caught, how the data economy works, and what legal protections actually exist is the first step toward protecting yourself. As our investigation into how health data is bought and sold establishes, the market for personal medical information has grown into a multi-billion-dollar industry operating largely in the open.

The Documented Cases: Apps Named and Their Actions

Flo Health — Period and Pregnancy Data to Facebook and Google

Flo Health, which claims over 200 million users, was the subject of a Wall Street Journal investigation in 2019 that found the app was transmitting users' period dates, pregnancy status, and fertility information to Facebook's analytics SDK — even when users had no Facebook account. The data was shared via the Facebook Analytics for Apps tool embedded in Flo's codebase. When the investigation published, Facebook stated it required apps to obtain consent before sending sensitive data; Flo stated users had agreed to its privacy policy. A 2021 FTC settlement required Flo to obtain users' affirmative consent before sharing health data and to instruct third parties to delete previously shared data. The settlement imposed no financial penalty.

BetterHelp — Therapy Session Data to Advertisers

BetterHelp, one of the largest online therapy platforms in the United States with over three million users at its peak, settled with the FTC in March 2023 for $7.8 million — the first major FTC enforcement action specifically targeting a mental health app. The FTC alleged that BetterHelp shared users' email addresses, IP addresses, and the fact that a user had previously sought mental health counseling with Facebook and Snapchat for advertising purposes, despite repeatedly promising users that their health data would never be used for advertising. The data was used to build custom advertising audiences to recruit additional therapy customers — meaning the intimate fact of seeking mental health treatment was weaponized as a marketing signal.

GoodRx — Prescription Data to Facebook and Google

GoodRx, a prescription discount service used by tens of millions of Americans, settled with the FTC in February 2023 for $1.5 million over allegations that it had shared users' prescription drug data and health conditions with advertising companies including Facebook, Google, Criteo, and others. The FTC's complaint was notable because GoodRx explicitly marketed itself as a HIPAA-compliant service that would never sell personal information. In fact, the company shared data including the names of drugs users searched for — which can reveal conditions ranging from HIV to diabetes to mental illness — with advertisers who used it to serve targeted ads. GoodRx is still operating, and the $1.5 million fine represented a fraction of its revenues.

Grindr — HIV Status and Location Data Sold to Third Parties

In 2018, Norwegian nonprofit SINTEF found that Grindr, the LGBTQ+ dating and social network, was sharing users' HIV status — an extraordinarily sensitive medical attribute — along with precise GPS coordinates with two third-party companies: Apptimize and Localytics. Grindr had asked users to voluntarily disclose their HIV status and last testing date, ostensibly to help users find partners and reduce transmission. That data was then routinely shared in bulk with analytics vendors. Grindr also sold advertising data packages to other third parties. In 2020, Norwegian regulators fined Grindr €6.5 million (later reduced on appeal) for sharing sexual orientation data without valid consent under GDPR. The case demonstrated that even voluntary health disclosures made in a perceived community context are not protected from commercial exploitation.

The Legal Gap: Why Most of This Is Permitted

The core reason consumer health app data sales are difficult to stop is structural: HIPAA, as explained in our patient guide, applies only to covered entities — hospitals, licensed physicians, health insurers, and their direct business associates. A period tracking app, a mental health chatbot, a fitness tracker, or a symptom checker is none of these things. It is a consumer software product, and consumer software products are regulated primarily by the FTC Act's prohibition on deceptive practices — not by any health-specific privacy law at the federal level.

This means an app can legally sell your therapy session metadata, your fertility tracking data, your medication list, and your symptom history to any third party it chooses — as long as its privacy policy disclosed this possibility in sufficiently broad language and users clicked "I agree." The FTC can only act when a company actively lied about what it was doing, not merely when it buried the truth in a 10,000-word policy document.

How Health App Data Flows Through the Data Economy

Most users imagine that when their health data leaves an app, it goes to one buyer. The reality is a complex chain of intermediaries. A period tracker might share your cycle data with a mobile analytics SDK embedded in its code — that SDK provider then aggregates your data with data from hundreds of other apps into a unified behavioral profile. That profile is sold to a data broker, who merges it with your name, address, income estimate, and offline purchase history purchased from retailers. The resulting combined file is then licensed to health insurers, pharmaceutical marketers, employers conducting background checks, and political campaigns — none of whom you ever interacted with.

The health data breach epidemic has made this worse by creating a secondary market in stolen health records that merges with the legal commercial data market. A stolen electronic health record containing your diagnoses and prescriptions becomes more valuable when combined with legally purchased app data showing your browsing and purchase behavior. The line between the legitimate data economy and breached data is increasingly porous.

The SDKs Inside Your Apps

Much of the data leakage from health apps happens not through deliberate policy decisions but through the SDKs — software development kits — that developers embed to add functionality like analytics, crash reporting, or advertising. When a developer integrates Facebook's SDK, Google Firebase, or an advertising network's code into their app, that SDK can independently collect and transmit data to its parent company regardless of the app developer's intent. Studies by Oxford Internet Institute and Exodus Privacy have found that the average Android health app contains three to five third-party SDKs, each with its own data collection practices. Developers frequently don't read the full terms of the SDKs they integrate.

Mental Health Apps: The Most Sensitive Category

Mental health apps represent a particularly acute version of this problem. Apps offering cognitive behavioral therapy exercises, mood tracking, anxiety management, and online therapy have proliferated since the COVID-19 pandemic dramatically expanded demand for mental health support. A Mozilla Foundation report evaluating 32 mental health apps in 2021 found that 28 of them failed basic privacy standards, 25 shared or sold user data, and only three apps could confirm they used encryption for data at rest. The apps studied included Calm, BetterHelp, Talkspace, and dozens of smaller offerings.

The sensitivity of mental health data cannot be overstated. A diagnosis of depression, anxiety disorder, bipolar disorder, or substance use disorder can affect employment decisions, insurance underwriting, custody determinations, and security clearances. When that information is shared with advertising networks and data brokers who have no obligation to keep it confidential, it enters a circulation that cannot be recalled. Users who disclosed their mental health history to a therapy app in 2019 may find that information in data broker profiles used against them a decade later.

Talkspace and Others Under Scrutiny

Talkspace, another major online therapy platform, updated its privacy policy in 2020 to explicitly permit it to use "de-identified" therapy content — including transcripts of therapy conversations — for research, product development, and other purposes. While the company stated this data was anonymized, independent security researchers raised concerns about the adequacy of the de-identification process and the breadth of permitted uses. The platform later updated its policy after public pressure, but the episode illustrated how even therapy session content — among the most intimate data a person generates — is treated as a raw material to be processed and potentially monetized.

Fitness Trackers and Wearables: Always-On Data Collection

Fitness trackers and wearables present a different dimension of the problem: continuous, longitudinal health monitoring generating streams of data about sleep, heart rate, activity level, stress indicators, and reproductive cycles. Fitbit's 2021 acquisition by Google raised immediate concerns from privacy advocates, since Google's advertising business now had direct access to biometric data from millions of wearable users. Google's privacy policy permits it to use Fitbit health and wellness data across its products for purposes including advertising, though users can opt out of some uses.

A 2020 study published in JAMA Network Open found that 19 of 24 popular health apps shared user data with third parties, and that the most common recipients were Google (in 79% of apps), Facebook (in 46% of apps), and various analytics companies. For wearable companion apps specifically, the data shared typically included not just activity counts but sleep duration and quality, heart rate variability, and GPS movement patterns — a remarkably complete picture of daily health and behavior. Research into AI-powered wearable health monitoring continues to expand what these devices can infer about health status, making the data they generate more valuable — and more sensitive — every year.

What You Can Actually Do

Evaluate Apps Before You Share

Before entering sensitive health information into any consumer app, investigate its data practices. The Mozilla Foundation's Privacy Not Included guide rates popular apps on privacy. Exodus Privacy (exodus-privacy.eu.org) lets you scan Android apps to see which tracking SDKs they contain. Read the privacy policy with specific attention to: whether the app distinguishes between "sharing" and "selling" data (both move data to third parties), who the named third-party partners are, what "de-identified" sharing actually means in the policy's definitions, and whether you have any meaningful opt-out rights.

Use System-Level Privacy Controls

Both iOS and Android have strengthened privacy controls that limit what apps can access and transmit. On iOS, disable tracking via Settings > Privacy & Security > Tracking, and review app permissions under Privacy & Security for location, health, contacts, and microphone. On Android, use the Privacy Dashboard (Android 12+) to see which apps accessed sensitive permissions in the previous 24 hours. Deny location access to health apps that don't require it for their core function. Disable background app refresh for apps that don't need it, which reduces the data collection window.

Prefer On-Device and Federated Alternatives

An emerging category of health apps processes data entirely on-device, meaning sensitive information never leaves your phone and cannot be transmitted to third parties. Apple's Health app stores data locally and requires explicit permission for third-party apps to read it. Research into federated learning in healthcare is enabling AI models to improve on aggregated insights without individual data ever leaving the device. When evaluating health apps, look for explicit statements about on-device processing, end-to-end encryption, and no third-party SDK integration — and treat the absence of these features as a warning sign rather than the norm.

The deeper issue is that consumer health apps have been built on a business model that treats user data as the product rather than the service. Until that business model changes — through regulation, competitive pressure from privacy-respecting alternatives, or informed consumer demand — the incentive structure that produces these data sales will remain. Understanding who owns your health data, who can access it, and what legal frameworks apply is not a technical curiosity. It is a prerequisite for making informed decisions about your own medical privacy.