Mental health apps have grown in popularity, as people use them to track moods, substance use, and more. The data gathered by these apps is personal, so it’s really important that it stays private. However, a new study has found that some mental health apps are sharing data without permission.

The study found that out of 36 mental health apps, 29 were sharing data to services provided by Facebook or Google. Out of the 12 apps transmitting data to Facebook, only six disclosed what they were doing, while 12 out of 28 Google-linked apps did the same.

For the study, researchers searched the Android and iOS app stores in the United States and Australia using the terms “depression” and “smoking cessation.” Due to the nature of the apps, they included information like health diaries and voluntary tracking of substance use — which some apps shared.

The sharing of health data opens up a lot of concerns for some physicians. Steven Chan, a physician at Veterans Affairs Palo Alto Health Care System, told The Verge, “Potentially advertisers could use this to compromise someone’s privacy and sway their treatment decisions.”

Chan went on to add, “Maybe if someone is interested in smoking, would they be interested in electronic cigarettes? Or could they potentially introduce them to other similar products like alcohol?”

Conversations around health apps and the data they share have come up before. Period tracking apps are extremely popular, for example, and Bloomberg reported on how they monetize women’s “extremely personal data.”

There’s been a lot of growing discomfort around data and how it’s used, especially as people begin to notice phone ads resembling their conversations. For many, the fact that personal health information is now up for grabs is extremely off-putting.

Researchers cautioned professionals to not rely on disclosures about data sharing in privacy policies. Instead, they should “reasonably assume” that data will be shared “with commercial entities whose own privacy practices have been questioned.”

If possible, professionals should only consider apps “with data transmission behaviors that have been subject to direct scrutiny.”