Privacy and mHealth are fast becoming an important influence on the U.S. healthcare system. The most visible element of mHealth is the profusion of mobile phone applications, especially ones related to wellness. Before researchers can fully examine the impact of mHealth on healthcare, barriers to use need to be addressed. One of the barriers most cited by medical professionals and patients is lack of adequate privacy and security policies and regulation for mHealth apps. In this paper the current state of data security in mobile apps is investigated by conducting a physical forensics analysis of several widely used mHealth applications. We report on the kinds of personal data that can be uncovered both before and after applications are removed and/or secured on a mobile device. These results can be used to develop a set of recommendations that can help to inform users, developers and policy stakeholders of best practices in this area. We also introduce a policy framework for mHealth apps and discuss future work