The NHS app is gathering and storing sensitive facial verification data from patients in England with a tech company linked to Conservative Party donors, iProov.
Privacy groups have expressed concern over how securely this data is being held and have called for greater transparency over the contract.
Jake Hurfurt, head of research and investigations at civil liberties group Big Brother Watch, said: “We’re deeply concerned by the secrecy surrounding facial verification and data flows in the NHS app, particularly given the involvement of a private company.
“It raises questions about how private and secure anyone’s information is when using facial verification and the NHS login. Anyone who sends personal information to a private company, at the encouragement of the NHS, has a right to know exactly what happens to their data.”