(Washington Post illustration; iStock)

For years, millions of women have used mobile apps to help track their menstrual cycles and get a better handle on their fertility. But now, it turns out, some of those apps may have been leaking this intimate information.

Glow, one of the most popular apps in this market, had a major flaw that could let anyone who knew a user’s email address access that person's data, according to a recent investigation by Consumer Reports. That’s a big deal because Glow prompts users to reveal a lot, including the last time they had sex (and in what position), how many drinks they’ve had each day and, of course, when Aunt Flo is in town.

Glow’s issues also shine a light on the regulatory gray zone that encompasses period-tracking, fitness trackers and other health-related apps. The data users put into the apps aren’t automatically covered by HIPAA, the federal health privacy law that shields, for instance, information shared with your doctor. Instead, the Food and Drug Administration has said it would exercise "discretion" on whether it would pursue privacy violations by many health apps.

“This kind of information for women is very intimate,” Patient Privacy Rights founder Deborah Peel said. “The implications are really huge: There are absolutely no laws that protects that information from being sold, disclosed, or traded — for any purpose, be it marketing or research.”

Although HIPAA-based regulation has rules about data security, fertility- and period-tracking apps generally aren't required to go through security testing before they make it onto users’ smartphones. But Consumer Reports did its own security audit of Glow and found several problems.

The most troubling involved a feature in which a Glow user could link their account with another person to share information. But Consumer Reports discovered that anyone who knew a user's email address could start getting that data without the user's explicit permission. That means practically anyone, including stalkers or abusive exes, could have found a window into the intimate data the app tracked.

Glow, which was developed by a tech incubator started by PayPal co-founder Max Levchin, worked quickly to fix the problem after Consumer Reports told the developers about the issue. It also sent an email to users informing them about the bug and advising them to check their linked accounts.

"Of the more than 4 million users across our apps, far less than 0.15% of our users could have potentially been impacted, but there is no evidence to suggest that any Glow data has been compromised," Jennifer Tye, the head of Glow's U.S. operations, said in an emailed statement.

Last fall, Glow said it helped more than 150,000 couples conceive and promoted research that it said showed that users who meticulously tracked ovulation cycles in the app were 40 percent more likely to get pregnant than casual users. But, as Wired reported at the time, some experts were skeptical that Glow was really the reason those couples got pregnant.

In an interview, Tye told The Post that the company's apps don't seek to replace services offered by fertility specialists. Instead, Glow's apps "help women and couples track various aspects of their reproductive health." Having that information on hand could help those struggling with infertility work through the issue with their doctors, she said.

However, a recent study published in the Journal of the American Board of Family Medicine found that many popular fertility- and period-tracking apps struggled to accurately predict when women were most fertile — with Glow ranking near the bottom of the reviewed apps.

Despite concerns about their effectiveness and Glow's security problems, the market for these apps is still booming — several of them rank high on Apple's App Store listing of health and fitness apps.

But privacy experts worry the women who use these apps may not fully realize that their data is thinly protected. Alison Contreras, the lead researcher on the study that raised questions about the effectiveness of popular fertility-tracking apps, said a surprising number of the apps that her team reviewed "didn't have any privacy policy at all."

Glow does have a privacy policy, which says it does not sell or rent personal information to third parties — but that it may share data in “an aggregate and anonymous format.” The company also reserves the right to use information “to deliver targeted marketing.” Information about when a woman is trying to have a baby is valuable to marketers because motherhood is one of the few life events in which consumers often get hooked on new brands, according to Peel, the Patient Privacy Rights founder.

"Generally, our policy is very consistent with what lots of other companies out there say," said Tye, the Glow executive. She said the app does not currently feature marketing or advertising from other brands.

Some other period-tracking app privacy policies are more vague. Period Tracker Lite's privacy policy, for instance, provides few details — and a 2013 investigation by the Financial Times concluded the app shared user data with third parties. The developer, GP Apps, told The Post that the report was incorrect and that it does not and never has shared user data.

A 2014 Federal Trade Commission study of the larger health app market, in which period-tracking apps are a major player, also found that many of the apps the agency reviewed shared users' information with third-party advertising and analytics firms.

Concerns about privacy and security have left some experts skeptical about fertility- and period-tracking apps operating outside of the traditional regulatory framework for health data. Although these apps could help researchers learn more about women's health, app-makers should also acknowledge they're "handling medical information that should be treated with the right safety precautions and confidentiality," Contreras said.

"There's definitely the need for some sort of HIPAA-compliant app that would allow a patient to directly communicate with physicians," she said.