Mind My Marbles — Are Online Therapy Apps private?

Mental health awareness is on the rise, and with it an army of online therapy apps; but, are they safe?

Forever the skeptic, my first thoughts were “yeah right, that’s not a real therapist on the other end”. As more of these apps came up, I decided to dig a little deeper on their security features, after all, if it is really therapy you’re probably sharing some pretty private stuff. I am not a cyber security expert so I admit there may be better questions to ask in order to verify this, but I did my best with my limited knowledge. I implore you to do your own research if you are considering signing up to any online mental health service.

My Questions

I collected a list of apps I came across and sent them all the same set of questions. Many of these apps are registered in the US which may mean they have a loop hole in abiding to certain regulations in Europe (maybe?). Also, keep in mind that the field of psychology is not fully regulated by the UK government so in theory anyone can call themselves a therapist! Below is the list of questions I sent and a summary of the answers I received. If you are a lawyer or a cyber security expert, please drop your knowledge in the comments.

  • How do I know if I am talking to the same person every time?

Feelya

Feelya say they use OpenTok (developed by Vonage Inc) and do not use any web-based commercial software for their audio/video sessions. Vonage is HIPAA compliant (a US federal law) and has HITRUST CSF certification (a US framework).

All audio/video is encrypted using these protocols: SRTP and DTLS-SRTP. (🤷‍♀️) Both client and therapist endpoints use the AES cipher with 128-bit keys. Data integrity is verified using HMAC-SHA1. No sessions are recorded.

Feelya is compliant to GDPR (Data Protection Number is ZA250334). All therapists are UK based, vetted, and are registered with either HCPC, UKCP, BPS, or BACP

Privacy policy.

Talkspace

Quite a below average response here unfortunately. They let me know that their services are available outside of the US and that their prices are listed in multiple currencies. Most therapists are based in the US. All “providers” are licensed and they verify clinical quality and licensure for everyone.

For the rest, I was pointed toward their FAQ. It mentions that it is HIPAA compliant (a US law) and encrypted. For more info you have to go another step and read their privacy policy (I did not).

ReGain

Another lame reply. Basically just a link to their privacy policy.

They mentioned that I will “see” the therapist I’m matched with from the account and can check their licenses. I’m not sure what “see” means here, is it just a text profile with a photograph? Easily forged in my (skeptical) opinion.

All therapists are US based, but several are licensed to be able to work internationally (no mention of what license they are referring to). They can offer their services to almost all countries.

IESO

This one was a tad worrying, but the massive caveat being I know nothing about cyber security. It just sounds a little simple to me…

Any data they keep is stored on a database behind a firewall in a data centre that has several layers of security. Appointment transcripts are encrypted before being stored.

I was then given a contact phone number I could call to get more info on who from the service can access my data.

Thrive

To address a bit of bias here, I have used this app as I was given access to it via a previous employer. I only used the “DIY” services and did not have interaction with therapists. It was quite useful if you like CBT. Anyway, on to the response…

Therapist profiles showing experience and qualifications will be visible to the user. They have a two-step assessment process before you are matched to a therapist. All therapists are UK based and are supervised by consultant level clinicians.

They are GDPR compliant and ISO27001 certified. They regularly test their security and all data is encrypted. Their service is only available in the UK.

Privacy policy.

Qwell (Kooth)

This response nearly wasn’t included as it came in quite late. They advised that the “practitioner” will introduce themselves at the start of every chat. They mention it is not uncommon for the first 3 sessions to be done by different practitioners while they assess your needs.

They can only offer assurances that you are dealing with a real person. I can understand that, but I also feel like they should go the extra mile to make that clear.

They assure they have a robust recruitment processes in place to check qualifications, BUT, they do say that their “practitioners” (I don’t know why I don’t like that word) are both accredited counsellors and counsellors working towards accreditation. I only hope that they make it clear if you are dealing with a trainee.

Privacy policy.

To Conclude

Honestly, some of the responses regarding encryption protocols and cyphers have gone totally above my head so I cannot tell you if those are good, bad, or average (also why I didn’t delve into the privacy policies in detail). I find it encouraging that some of these platforms are taking this seriously by responding to the questions with some detail. As always, if you do want to pursue this for yourself — research, research, research, ask a medical professional for a recommendation, research, ask another medical professional…you get the picture. Take this seriously and make sure you know who you are sharing your intimate thoughts with.

I did not get a response from BetterHelp (‼️), Ginger, Larkr, TeenCounselling, 7cups, Harley, Tomo at the time of writing.

Further reading:

If you enjoyed this and found it helpful (or totally unhelpful) please let me know by leaving a reaction or comment, or find me via jasminludolf.com.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store