Using popular health apps could mean private information about medical conditions is not kept confidential, researchers warn.
Of 24 health apps in the BMJ study, 19 shared user data with companies, including Facebook, Google and Amazon.
It warns this could then be passed on to other organisations such as credit agencies or used to target advertising.
And data was shared despite developers often claiming they did not collect personally identifiable information.
Users could be easily identified by piecing together data such as their Android phone's unique address, the study says.
"The semi-persistent Android ID will uniquely identify a user within the Google universe, which has considerable scope and ability to aggregate highly diverse information about the user," the research team wrote in the BMJ.
"These apps claim to offer tailored and cost-effective health promotion – but they pose unprecedented risk to consumers' privacy given their ability to collect user data, including sensitive information.
The authors conclude:
Security expert Prof Alan Woodward, from the University of Surrey, said: "Users still have little understanding of how the data they entrust to these apps is being shared."
Prof Gil McVean, of the Department of Medicine at the University of Oxford, said there was no evidence of wrongdoing but the study showed "how behind-the-scenes sharing of information among a network of tech companies can potentially be used to create a detailed understanding of an individual's health and activity".