Opioid addiction apps used by tens of thousands of people to aid treatment and recovery are accessing sensitive personal information that could be used to identify them, a new study has found.

The ExpressVPN Digital Security Lab study, published on Wednesday, examined the source code of 10 Android apps and found that many of them were accessing private data such as a user’s phone number, carrier and IP address.

When combined, this information can be used to identify users, who then risk being targeted by third parties such as advertisers or authorities. In some instances, information such as location data was found to be shared with Facebook and other third parties.

“This is the equivalent of walking into a medical clinic and the clinic sending your personal health information to Google and Facebook,” said Jonathan Stoltman, director of the Opioid Policy Institute, who served as catalyst for the research after hearing these tactics were standard.

The findings come as the rise of remote healthcare services during the pandemic has posed new privacy challenges. In the US, federal laws govern data-sharing in traditional healthcare settings but “in the emerging frontier of tele-health” — a trend supported last year by the Centers for Disease Control and Prevention in line with social distancing guidelines — “there is still much ambiguity,” the report said.

The study examined 10 Android apps including Loosid and Sober Grid that collectively have more than 180,000 downloads. Each has a corresponding app for iPhone but the study was confined to Android platforms.

Loosid and Sober Grid did not immediately respond to requests for comment.

Among the findings were that seven of the 10 apps accessed the phone’s advertising ID — a key identifier whose use is being increasingly restricted by Apple and Google owing to privacy concerns. Five accessed the phone number, several could view a list of all other apps installed on the device, and one even copied the serial number on the phone’s SIM card.

Sean O’Brien, founder of the Yale Privacy Lab and principle researcher at ExpressVPN, said it was not clear if any of the apps were earning money from sharing this data with third parties. However, he said that even having the capability to send unique identifiers to third parties was a privacy concern.

“Unique identifiers tied to a person’s phone are the last thing consumers should expect to share with a tele-health service via one of these apps,” he said. “Clicking through a permissions screen isn’t blanket consent — especially when we’re talking about addiction, one of the most sensitive subjects in our society.”

Jacqueline Seitz, senior staff attorney for health privacy at the Legal Action Center, said the results were surprising because anyone seeking opioid abuse treatment at a bricks-and-mortar facility would expect the highest level of privacy protection.

“Substance use disorders are frequently criminalised and stigmatised,” she said. “Patients can lose their housing, their job, their kids, their liberty. So information in their treatment records is much stricter than HIPAA,” a decades-old patient privacy law.

Seitz said existing rules “just don’t map neatly” on to mobile health apps, and suggested that the entire tele-health ecosystem would benefit from more regulatory guidance about what the appropriate privacy and security standards are.

“If I go meet a counsellor and talk about my treatment needs, I’m not worried about sharing my location data for the last 48 hours,” she said. “That’s a big distinction highlighted in the report. These apps exist outside the regulatory framework and are collecting such a different scope of information.”