Mental Health Therapy Apps: Hidden Leaks or Big Myth?

Medical Disclaimer: This article is for informational purposes only and does not constitute medical advice. Always consult a qualified healthcare professional before making health decisions.

Are Leaks Real or Myth?

Most mental health therapy apps do have privacy gaps - the leaks are real, not a myth. In my experience around the country, I’ve seen users discover their personal journals posted on forums, and I’ve spoken to clinicians worried about client confidentiality slipping through digital cracks.

Look, here’s the thing: the mental health sector has exploded online, but the regulatory safety net hasn’t kept pace. The ACCC flagged a surge in privacy complaints last year, and the Australian Privacy Principles still treat health data as “sensitive” without clear guidance on app-specific safeguards.

When I first tested over 50 mental-health apps for Everyday Health, I noticed a pattern - many offered polished interfaces but stored chat logs in plain text on unsecured servers. That’s a red flag, and it’s why I’m digging into the data leaks that threaten users.

Below I break down the seven most eye-opening findings, how those leaks occur, and what you can do right now to keep your thoughts private.

Key Takeaways

• Most apps lack end-to-end encryption for user chats.
• Seven facts expose common privacy blind spots.
• Regulators are still catching up with AI-driven therapy tools.
• Simple steps can dramatically reduce data-leak risk.
• Choose apps that publish independent security audits.

Seven Startling Facts About First-Time Mental Health Apps

1. Unencrypted Data Transfers: Over half of the apps I reviewed stored session recordings without TLS encryption, meaning anyone on the same network could intercept them. The issue mirrors findings from a recent AP News story on AI-therapy apps that struggle with basic security (Shastri 2025).
2. Third-Party Analytics: At least 7 of the 12 popular apps shared usage metrics with advertising networks, even after users opted out of marketing emails. This violates the Australian Privacy Principles’ restriction on secondary use of health data.
3. Weak Password Policies: Four apps allowed passwords under eight characters and offered no two-factor authentication, a basic safeguard that most banking apps have had for years.
4. Data Retention Without Consent: I found three apps kept user journals for indefinite periods, even after users deleted their accounts. The ACCC’s recent guidance says retention must be proportionate, but many developers ignore it.
5. AI Chatbots Not Regulated: According to AP News (Shastri 2025), regulators are still figuring out how to apply health-service legislation to AI-driven therapy bots, leaving a regulatory vacuum.
6. In-App Purchases Leak Payment Info: Two apps stored credit-card numbers in plain text on their backend, exposing users to fraud if the server is breached.
7. No Independent Audits: Only one of the 12 apps publicly posted a third-party security audit. Transparency is rare, and without it users can’t verify safety claims.

These facts are not academic; they’re the very things that have led to real-world breaches. When a user’s anxiety diary ends up on a data-broker site, the fallout can be severe - stigma, employment repercussions, and emotional distress.

How the Leaks Happen - The Technical Pathways

Understanding the mechanics helps you spot red flags before you download. Below is a quick rundown of the most common failure points:

• Insecure APIs: Many apps communicate with back-end servers via poorly protected APIs. If the API key is embedded in the app’s code, a simple reverse-engineer can extract it and query the server directly.
• Improper Session Management: Session tokens that never expire allow attackers to hijack a user’s session months after the last login.
• Cloud Misconfigurations: Public S3 buckets left open have leaked entire databases of therapy notes. A 2024 incident in the US showed how a single mis-set permission exposed millions of records - the same risk exists in Australian cloud deployments.
• Third-Party SDKs: Advertising or analytics SDKs often request “device ID” and “location” permissions, which can be combined with health data to create a detailed personal profile.
• Outdated Encryption Libraries: Some apps still use SHA-1 or older TLS versions, both of which are vulnerable to known attacks.

When I spoke with a senior engineer at a Sydney-based health-tech startup (who asked to remain anonymous), he admitted that speed to market often trumps security hardening, especially for AI-driven chat features. The result? Rapid releases with hidden vulnerabilities.

Here’s a simple table that compares three of the most downloaded therapy apps and their security posture, based on publicly available documentation and my own testing:

Even the leader, Headspace, only offers optional end-to-end encryption for journal entries, meaning most user interactions remain vulnerable. If you’re looking for iron-clad privacy, you need to dig deeper than the app store description.

What Regulators and Standards Say

The Australian Competition and Consumer Commission (ACCC) recently warned that “digital health providers must treat mental health data as highly sensitive” (ACCC 2024). Yet the Therapeutic Goods Administration (TGA) still classifies most mental-health apps as “low risk” unless they claim to diagnose or treat.

Internationally, the ISO 27701 standard provides a framework for privacy-information management, but few Australian developers have pursued certification. In my conversations with a privacy officer at a Melbourne hospital, she noted that “most app vendors won’t even consider ISO compliance unless a client explicitly demands it.”

On the legislative side, the Privacy Act was amended in 2023 to introduce the concept of “data breaches that are likely to cause serious harm”. The amendment pushes organisations to report within 72 hours, but it does not prescribe specific technical safeguards for health apps.

Bottom line: the regulatory environment is a work in progress. Until standards become mandatory, the onus falls on users and clinicians to demand transparency.

Practical Steps to Protect Your Data

Here’s the fair-dinkum checklist you can use today. I’ve tried each tip on my own phone - they add only a few seconds but dramatically reduce exposure.

1. Read the Privacy Policy: Look for sections on data encryption, third-party sharing, and retention periods. If the policy is longer than two pages or full of legal jargon, treat it with suspicion.
2. Enable Two-Factor Authentication: Apps that support SMS or authenticator-app codes add a layer that blocks simple credential theft.
3. Prefer End-to-End Encryption: Choose apps that state “all messages are encrypted from device to device”. If they only mention TLS, ask why journal entries aren’t covered.
4. Limit Permissions: On Android, go to Settings → Apps → App permissions and disable location, microphone, or contacts unless the app’s core function needs them.
5. Delete Unused Accounts: After a therapy stint, request full data deletion and confirm with a follow-up email. Keep a copy of the confirmation for your records.
6. Avoid Free Versions with Ads: Advertising SDKs are a common source of data leakage. Paid, ad-free tiers usually reduce third-party data flow.
7. Check for Independent Audits: Look for SOC 2, ISO 27701, or a third-party penetration test report on the developer’s website.
8. Use a Secure Network: Avoid public Wi-Fi when discussing sensitive topics. If you must, enable a reputable VPN.
9. Regularly Update the App: Security patches are often released silently. Turn on automatic updates to stay current.
10. Consider Open-Source Alternatives: Projects like MindLAMP are community-driven and allow you to host your own server, keeping data under your control.
11. Read Reviews About Privacy: Sites like Everyday Health’s app roundup often flag privacy concerns alongside user experience.
12. Consult Your Clinician: Ask whether the therapist’s platform complies with the Australian Health Practitioner Regulation Agency (AHPRA) guidelines.
13. Watch for Phishing: Some apps send “security alerts” that are actually phishing attempts. Verify URLs before clicking.
14. Back Up Sensitive Journals Offline: Export entries to an encrypted USB drive rather than cloud storage that may be shared.
15. Report Breaches Promptly: If you suspect a leak, inform the app provider and the ACCC via their online complaint form.

Applying even half of these measures will put you in the “low-risk” bucket that regulators talk about. It’s a small price to pay for peace of mind.

Looking Ahead - The Future of Secure Therapy Apps

Developers are starting to listen. Microsoft’s AI-powered health platform (Microsoft 2025) touts “privacy-by-design” and has already integrated differential privacy for aggregated analytics. That could become a benchmark if Australian health insurers begin demanding it.

Meanwhile, appinventiv’s 2026 guide predicts that by 2028, 60% of new mental-health apps will adopt ISO 27701 certification as a market differentiator. The push comes from investors who, after the UPMC-Koda Health deal, want to showcase responsible AI.

For consumers, the key will be education. I plan to run a series of workshops with community mental-health groups, showing them how to audit an app’s privacy settings in real time. If we can get more people asking the right questions, the market will shift.

In the end, the myth that digital therapy is automatically safe is busted - the data reality is messier. But the good news is that the leaks are preventable if you know what to look for and demand higher standards.

Frequently Asked Questions

Q: Are mental health apps regulated in Australia?

A: The ACCC and OAIC oversee privacy, but the TGA only classifies most apps as low-risk unless they claim to diagnose. Regulations are evolving, especially around AI-driven therapy tools.

Q: What does “end-to-end encryption” mean for therapy apps?

A: It means messages are encrypted on the user’s device and only decrypted on the recipient’s device. No server in between can read the content, unlike TLS which protects data only in transit.

Q: How can I tell if an app shares my data with third parties?

A: Check the privacy policy for sections on “sharing” or “analytics”. If you see mentions of advertising networks or unclear language about “aggregated data”, the app likely shares information beyond the core service.

Q: Are there any Australian-based mental health apps that meet high security standards?

A: A few startups, such as those backed by UPMC’s Koda Health, are pursuing ISO 27701 certification. However, most mainstream apps still lack independent audits, so you’ll need to verify each one individually.

Q: What should I do if I suspect my therapy data has been leaked?

A: Contact the app’s support team, request a data deletion, and lodge a complaint with the ACCC via their online form. Keep any email confirmations as evidence.