“Some of the UK’s most popular health websites are sharing people’s sensitive data — including medical symptoms, diagnoses, drug names and menstrual and fertility information — with dozens of companies around the world, ranging from ad-targeting giants such as Google, Amazon, Facebook and Oracle, to lesser-known data-brokers and adtech firms like Scorecard and OpenX. Using open-source tools to analyse 100 health websites, which include WebMD, Healthline, Babycentre and Bupa, an FT investigation found that 79 per cent of the sites dropped “cookies” — little bits of code that, when embedded in your browser, allow third-party companies to track individuals around the internet. This was done without the consent that is a legal requirement in the UK.”
How top health websites are sharing sensitive data with advertisers by Madhumita Murgla and Max Harlow on FT.com
The article was based on a research paper “Privacy Implications of Health Information Seeking on the Web” by Timothy Libert at the University of Pennsylvania
“Online health privacy is an issue which affects the majority of Internet users. According to the Pew Research Center, 72% of adult Internet users in the U.S. go online to learn about medical conditions. Yet only 13% of these begin their search at health-specific sites. In fact, health information may be found on a wide spectrum of sites ranging from newspapers, discussion forums, to research institutions. In order to discover the full range of sites users may visit when seeking health information, I used a search engine to identify 80,142 unique health-related web pages by compiling responses to queries for 1,986 common diseases. This selection of pages represents what users are actually visiting, rather than a handful of specific health portals.Having identified a population of health-related web pages,I created a custom software platform to monitor the HTTP requests initiated to third-parties. I discovered that 91%of pages make requests to additional parties, potentially putting user privacy at risk. Given that HTTP requests often include the URI of the page currently being viewed (known as the “Referer”), information about specific symptoms, treatments, and diseases may be transmitted.My analysis shows that 70% of URIs contain such sensitive information.This proliferation of third-party requests makes it possible for corporations to assemble dossiers on the health conditions of unwitting users. In order to identify which corporations are the recipients of this data I have also analyzed the ownership of the most requested third-party domains. This has produced a revealing picture of how personal health in-formation becomes the property of private corporations.”