Your Apps Are Building a Legal Case Against You
Health app data is showing up in courtrooms. Here's how to reduce your exposure before it matters.
A woman spent months opening up to her therapist through a telehealth app, processing a job loss, money worries, and the stress of being nine months pregnant. Two years later, her former employer’s lawyers subpoenaed a full transcript of those conversations and used them in a civil lawsuit against her.
That case involved Talkspace, an online and mobile therapy services app. But the underlying problem is far bigger than one platform.
Millions of Americans are generating detailed records of their mental and physical health every day through apps that most people have never thought could be used against them legally.
Your sleep logs, your step counts, your mood tracking, and your calorie intake data are all stored on someone else’s servers. And when a lawsuit happens, the owner of those servers get a letter demanding the information.
This has already happened to people in divorce cases, custody disputes, employment lawsuits, and personal injury claims. The incriminating data existed and the other side’s lawyer found it. But by then it was too late to do anything about it.
What “Subpoena” Actually Means Here
Most people think of subpoenas in the context of criminal investigations, like cops at the door. Scenes you would see in a Law & Order episode.
Civil litigation is quieter and far more common. Divorce proceedings, child custody disputes, personal injury claims, and employment lawsuits are scenarios where where health app data is increasingly being pulled into court. Those scenarios are also where you are far less likely to have thought about the long term implications of the data in advance.
In divorce proceedings, sleep patterns, stress levels, and activity data from health apps have been used to argue about a spouse’s mental state or ability to care for children. In personal injury cases, defense lawyers can use fitness tracker data to argue that a plaintiff is more active than their claimed injuries would suggest.
In one California case, a victim’s Fitbit showed a spike in heart rate followed by a rapid slowdown at the exact time a suspect claimed he was only there briefly to drop off food. In Connecticut, a man was charged with murdering his wife after data from her Fitbit showed she was moving around an hour after he claimed an intruder had killed her, and that she had covered far more distance than his account described.
These are criminal examples, but they illustrate the basic mechanics at play:
apps that record time-stamped physiological data create a parallel account of events.
In civil litigation, that parallel account is available to any attorney who files the right paperwork.
Your Health Apps Are Not Protected by HIPAA
Most people assume health data is private because there are laws about health data being private. There are, but those laws don’t apply to most of the apps on your phone.
The information stored in health apps isn’t covered by HIPAA, so companies can legally share the data. HIPAA applies to healthcare providers, insurers, and their direct business partners. The most common examples are your doctor’s office, your hospital, and your insurance company.
A consumer wellness app you downloaded from the App Store is a technology company. It sits entirely outside that regulatory framework.
This means Calm, Headspace, MyFitnessPal, most period trackers, most fitness apps, and most mood-logging tools have no federal obligation to treat your data as medical information. They have privacy notices, but privacy notices are not laws. If you read the fine print, you’ll find that these companies are required to disclose information to law enforcement officials with a subpoena or search warrant, or to other parties if a court so orders.
The one partial exception in the consumer app world is therapy platforms explicitly contracted with licensed providers and billed through insurance. Those may carry HIPAA obligations depending on how they’re structured. But even HIPAA isn’t the full shield people assume it is.
The protected status of “psychotherapy notes” under HIPAA does not generally extend to civil litigation brought by the patient where health records may contain relevant evidence and where the privilege has been waived. A typical example is when someone sues for emotional distress. By doing that, they’ve then made all records about their mental state fair game.
What’s Actually Being Retained
Deleting an app doesn’t delete the data of course. The data lives on the company’s servers, often indefinitely.
Calm’s data retention policies do not define a clear length of time after which data or cookies are deleted. Headspace says it will keep personal information for as long as needed to perform its obligations, or for as long as legally permitted, and explicitly lists responding to subpoenas and court orders as a stated use of that data. MyFitnessPal retains personal information for as long as you maintain an account or as needed to provide services, and as necessary to comply with legal obligations, resolve disputes, and enforce agreements.
In plain terms:
years of data, sitting on servers, is available to any attorney who wants it badly enough and has a plausible legal argument for relevance.
The Talkspace situation illustrates this most clearly. The platform has, by its CEO’s own account to investors, amassed 140 million message exchanges. That database exists because the company records and stores conversations. The individual user never sees that infrastructure. They just see a chat window that feels private.
My Take
What’s making health data more of a personal legal risk isn’t really the law. Subpoenas have always allowed adverse parties in litigation to get at your data. What’s changing is the richness of the data being generated and how long it persists.
Someone going through a divorce ten years ago had a phone and maybe some emails. Someone going through a divorce today potentially has years of detailed sleep data, mood logs, location history, calorie records, menstrual cycle data, and therapy transcripts, all of it stored in cloud accounts they stopped thinking about.
The risk isn’t hypothetical future legislation either. The risk is that the data you generated last year, when nothing was wrong, gets subpoenaed in a proceeding you haven’t imagined yet.
Most people worry about hackers stealing their health data. The more immediate threat, statistically, is a lawyer subpoenaing it.
Auditing Your Exposure: a Threat-Model Approach
The right way to think about this isn’t “which apps are safe”. That’s too vague.
Instead, think about “which apps create risk in the specific scenarios most likely to affect me.” The three scenarios that drive the vast majority of civil health-data subpoenas are:
