Blood pressure monitors used to secretly track patients

OMRON, a manufacturer of blood pressure monitors and other medical devices, collects location data from millions of users and sends it to a company in the United States. The tracking happens through OMRON connect, an app through which users of the blood pressure monitors can store medical data. The app polls mobile phones several times a day and shares their location, accurate to the meter, with the American company OneSignal, BNR discovered.

Users have no idea that they are being tracked in this way because OMRON does not ask permission to share the location data. That makes this large-scale privacy violation likely illegal, experts told the broadcaster. “If the location can be tracked to an individual, it is prohibited to collect this data without informing users and asking permission,” Floor Terra of Privacy Company said. Location data is not anonymous because it can often be tracked to a person at a certain point in time, Roos Dijkxhoorn of cybersecurity company PuraSec added.

What exactly happens to the location data after OMRON forwards it to OneSignal is unclear. OneSignal did not respond to BNR’s questions on the matter.

OMRON connect has been downloaded over 3 million times worldwide. OMRON would not tell BNR how many Netherlands residents use the app. The company said it was unaware that its app tracks users, blaming OneSignal. OMRON uses OneSignal software to send push notifications, among other things. OMRON said it would stop collecting location data.

“Very problematic,” Liffert Vogt, a professor of internal medicine and board member of the Dutch Hypertension Association, said to the broadcaster. Almost 3 million Dutch people have high blood pressure, and the OMRON monitors are widely used. “The privacy of users must always be guaranteed,” said Vogt.