Happtique, subsidiary of the Greater New York Hospital Association’s for-profit arm GNYHA Ventures, has suspended its mobile health app certification program after the CEO of a health IT firm posted a blog post exposing security issues with two apps Happtique had certified as secure. Harold Smith III, CEO of Monkton Health, posted the findings on his personal blog, according to a report over at MedCity News.

Smith writes that he randomly picked two apps from the 16 apps that Happtique had announced as certified ones earlier this month and found that both had issues storing sensitive information as plain text files and one of them wasn't using HTTPS. As he points out the bigger issue is with Happtique, which has billed its certification program as a way to help the market feel confident in the security and functionality of mobile health apps, but also as a process that helps developers to ensure they are following best practices.

"Happtique farms out the validation of the actual software to Intertek," Smith writes. "I cannot comprehend how both Happtique and Intertek failed to catch these litany of issues present in both products. Storing plain text passwords is unreal. Storing unencrypted ePHI is crazy. Sending ePHI over HTTP is inexcusable."

Happtique posted a statement about the incident on its site this week and announced that it was suspending its certification program pending a review:

"Last week, a developer raised concerns about the testing results for one of the HACP standards," Happtique wrote. "After fully vetting the issue with our technical testing partner Intertek, we are not satisfied that current testing methodologies appropriately evaluate our standards and performance requirements. As a result, we are re-evaluating the testing methodologies for the HACP and believe the responsible next step is to suspend the certified app registry pending this further review."

Happtique said that it planned to "strengthen the program for the future" in its statement:

"While this program is an important first step toward transparency and accountability in the health app marketplace, maintaining a comprehensive certification program is an iterative process. We will continue to work with industry stakeholders to review and revise the standards and testing methodologies as necessary in order to strengthen this program for the future. Thank you for your ongoing support and feedback."

The suspension is only the latest hiccup for Happtique. Earlier this year MobiHealthNews exclusively reported that its parent company GNYHA Ventures had decided to re-focus Happtique on its hospital customers and to repurpose its budget. This led to the departure of most of its management team including CEO Ben Chodor and Chief Marketing & Strategy Officer Tammy Lewis. At the time, GNYHA SVP of Communications Brian Conway told MobiHealthNews the certification program and mRx were both on track for completion.

While the company's latest statement indicates plans for a reworked certification program in the future, the lackluster interest from developers working in mobile health -- only 10 companies opted to participate in Happtique's certification program -- the next iteration might look very different.