
Ostrzeżenie: *Prywatność dla tego produktu do nabycia osobno
Recovery Record makes two separate apps to help people manage eating disorders. The first is targeted at patients and is free to download and use. Called Recovery Record: Eating Disorder Management, this apps helps users keep track of their meals, create customized meal plans and eating schedules, send and receive anonymous encouraging messages with other users, and share their recovery journey with their treatment team.
The second app, called Recovery Record for Clinicians, is designed to let eating disorder treatment professionals engage with their patients between visits to help keep them on track in their recovery. The app for clinicians requires a subscription, costing between $9 - $80.
How do these apps look from a privacy perspective? Well, when we first published our review of Recovery Record, users could sign in using the weak password "111111", we couldn't determine if they used encryption or had a way to manage security vulnerabilities, and their privacy policy raised a number of concerns for us. After publishing our review, Recovery Record reached out to us and worked to to better their password requirement to now require a strong password, clarified their use of encryption and how they manage security vulnerabilities, so we can now confirm they meet our Minimum Security Standards. And they updated and clarified some parts of their privacy policy. We appreciate the work they did to make their app better. We still have a few concerns based on their privacy policy, but Recovery Record seems willing to improve and we like that.
Co się może stać, jeśli coś pójdzie nie tak?
Recovery Record updated their privacy policy in May, 2022 after we published our review. They have since clarified some things in their privacy policy that help us feel better about some of the concerns we have. We still have a few questions about their privacy practices, but less than before.
Recovery Record can collect a fair amount of personal and usage data, including name, age, gender, city/town, and email address. They also say "clinicians and support persons involved in your care may provide us information, including protected health information, about you." They do say US HIPAA privacy laws requires them "to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of this information." This is a fine line it seems many mental health apps walk -- the line between the privacy protections therapists are required to follow under HIPAA laws and the current data economy apps operate under that leads to the collection of personal information to provide and market their paid services.
Recovery Record also may collect anonymized or aggregate data and "use it for any purpose." That's a pretty broad statement. Especially because it's been shown to be pretty easy to re-identify user data.
Another line from Recovery Record's privacy policy that leaves us just a little worried "From time to time, we may desire to use information about you for uses not previously disclosed in this Privacy Policy. If our practices change regarding previously collected information in a way that would be materially less restrictive than stated in the version of this Privacy Policy in effect at the time we collected the information, we will make reasonable efforts to provide notice and obtain consent to any such uses as may be required by law." All that sounds like it could be fine. However, as The Verge pointed out, mental health apps can change their privacy policies at any time and they don't always make a lot of effort to let users know when their privacy practices have changed. Hopefully Recovery Record will ensure all users know when and if their privacy polices changes.
We'll end with one more statement from Recovery Record's privacy policy that serves as a warning for everything shared on the internet, "Unfortunately, the Internet and mobile networks over which our Services are delivered cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any information you provide to us. We do not accept liability for unintentional disclosure. " What's the worst that could happen. Well, we worry that your very sensitive eating disorder information could wind up in the hands of someone you really don't want to have that information and that doesn't sound healthy at all. Hopefully that will never happen.
Wskazówki, jak się chronić
- Do not provide consent for sharing personal data with third parties, whenever possible.
Czy może mnie podsłuchiwać?
Aparat
Urządzenie: Nie dotyczy
Aplikacja: Tak
Mikrofon
Urządzenie: Nie dotyczy
Aplikacja: Nie
Śledzi położenie
Urządzenie: Nie dotyczy
Aplikacja: Nie
Czego można użyć do rejestracji?
Tak
Telefon
Nie
Konto firmy trzeciej
Nie
Jakie dane zbiera ta firma?
Osobiste
Email, name, age, gender, city/town
Związane z ciałem
Clinicians and support persons involved in your care may provide information, including protected health information, about you.
Społecznościowe
Jak ta firma wykorzystuje te dane?
Jak możesz kontrolować swoje dane?
Jaka jest znana historia tej firmy w zakresie ochrony danych użytkowników?
No known privacy or security incidents discovered in the last 3 years.
Informacje o prywatności dziecka
Czy ten produkt może być używany bez połączenia z siecią?
Przyjazne dla użytkownika informacje o prywatności?
Odnośniki do informacji o prywatności
Czy ten produkt spełnia nasze minimalne standardy bezpieczeństwa?
Szyfrowanie
Data is encrypted in transit (TLS). PHI and PII are encrypted in the database (AES). A KMS is used to manage keys. EBS (disks) partitions are encrypted. Backups are encrypted.
Silne hasło
When we first reviewed Recovery Record, the weak password "11111111" is allowed. Since we published our review, Recovery Record has updated their password requirements to now require a strong password which we love to see.
Aktualizacje zabezpieczeń
Zajmuje się problemami z bezpieczeństwem
While Recovery Record doesn't have a bug bounty program, they do say they have policies and procedures that have been reviewed by third party assessors as part of the HITRUST certification process. Anyone can contact them through https://www.recoveryrecord.com/contact to report a security vulnerability.
Zasady ochrony prywatności
Dowiedz się więcej
-
The Best Eating Disorder Recovery Apps for 2022Healthline
-
Mental health app privacy language opens up holes for user dataThe Verge
-
Eating Disorders: How mHealth Apps May Improve Treatment AdherencePsycom Pro
-
Recovery Record appHealth Navigator
-
Researchers spotlight the lie of ‘anonymous’ dataTechCrunch
-
How to Create a Mental Health App to Track Anxiety and Depressionaimprosoft
-
Summary of the HIPAA Privacy RuleU.S. Department of Health and Human Services
Komentarze
Masz uwagi? Podziel się nimi z nami.