An Analysis of Genentech's 4HER Mobile Health App Privacy Policy

Genentech's 4HER iPhone App for women with HER2 breast cancer is interesting and perhaps unique in a Mobile Health App developed by a pharma company. The app allows users to send email to other registered users of the app and even notifies them of other users close by.

Here's the iTunes profile of the app:

Genentech's 4HER Mobile App for Women with HER2 Breast Cancer

As I mention in the above profile, there are privacy issues. So, I downloaded the app to read and analyze the privacy policy. My analysis reveals many interesting insights into how the personal information collected from this app will be used by Genentech.

First up: What personally-identifiable information is obtained and how is it used.

Required information that the user explicitly provides when registering.

After registration, Genentech will know your e-mail address and zip code. The company also assumes you are a woman with breast cancer, although some people without breast cancer (like me) can download the app and register.

Users can also provide more information about themselves voluntarily:

Optional information about themselves users may provide.

This is very personal stuff that allows Genentech to personally interact with users through various means, including postal mail and by telephone. Note that Genentech may "combine this information with records from third parties" and use it to "communicate information to" (i.e., market to) users to "facilitate business functions."

Of course, users can always "opt-out," although you must do that through the app itself or uninstall the app.

Note that the app uses the GPS feature of the iPhone to locate users. This can allow Genentech to provide "requested location services." I imagine, for example, if the user is visiting her physician's office, the app will know this and link the user to that practice and/or serve up such things as "Questions to ask your physician" or even ads for Rx products in the hope users will discuss these with their physicians.

The "Connect with a Patient" feature is a feature that I have not seen in other pharma mobile health apps. Before you can use that, you must agree to "Ground Rules," which will be the subject of another post.

Getting back to the privacy policy, although you can opt-out, Genentech reserves the right to retain registration information for a "reasonable time thereafter:"

I guess that's reasonable.

It's good to know that Genentech maintains all this personal health information on a "secure" server and not on the mobile device. Is that any more secure than storage on the iPhone? I guess. In any case, this is what Genentech says about security of the data:

I don't want to burst your balloon, but every company -- including Home Depot and Target -- says the same thing and they have been hacked and as Genentech says, "no security system can prevent all potential security breaches." Keep in mind that the cause of most security breaches is probably an untrained employee. Read, for example, "The FTC-Lilly Consent Decree". That patient security breach happened back in 2002, but Lilly must still answer to the FTC until 2022!

Given the sensitive nature of the data collected to make full use of this app, will a sufficient number of women with breast cancer repeat enough benefits from this app to offset the risks of a data breach?