Using popular health apps could mean private information about medical conditions is not kept confidential, researchers warn.
Of 24 health apps in the BMJ study, 19 shared user data with companies, including Facebook, Google and Amazon.
It warns this could then be passed on to other organisations such as credit agencies or used to target advertising.
And data was shared despite developers often claiming they did not collect personally identifiable information.
Users could be easily identified by piecing together data such as their Android phone's unique address, the study says.
"The semi-persistent Android ID will uniquely identify a user within the Google universe, which has considerable scope and ability to aggregate highly diverse information about the user," wrote co-author Dr Quinn Grundy of the Lawrence S. Bloomberg Faculty of Nursing at the University of Toronto.
"These apps claim to offer tailored and cost-effective health promotion - but they pose unprecedented risk to consumers' privacy given their ability to collect user data, including sensitive information."
The authors conclude:
- doctors need to warn patients about the threat to their privacy from using such apps
- regulators should consider that loss of privacy is not a fair cost for the use of digital health services
Security expert Prof Alan Woodward, from the University of Surrey, said: "Users still have little understanding of how the data they entrust to these apps is being shared."
Prof Gil McVean, of the Department of Medicine at the University of Oxford, said there was no evidence of wrongdoing but the study showed "how behind-the-scenes sharing of information among a network of tech companies can potentially be used to create a detailed understanding of an individual's health and activity".