A vast majority of health websites are sharing sensitive medical information of people with technology companies such as Google, Facebook, and Amazon as well as with a large number of adtech companies and data brokers, an investigation by FT has found.
Based on an investigation of a hundred health websites such as WebMD, Healthline, Bupa, and Babycentre, Financial Times found that 79 percent of these websites are allowing third party firms to plant cookies and harvest vast amounts of information such as medical conditions, fertility and menstrual information, symptoms, diagnoses, and prescriptions.
FT noted that such harvesting of medical information from health websites is in direct violation of Europe's General Data protection Regulation (GDPR) as third party companies are not obtaining the consent of visitors to health websites before harvesting their sensitive medical information.
"Consent and awareness are key principals of privacy, and there’s nothing more private than one’s healthcare information. The presumption health websites have in sharing data with advertisers is that the person investigating the health concern is in fact in the market for some remedy. Presumption is not consent and isn’t an invitation to share information with third parties," says Tim Mackey, Principal Security Strategist for Synopsys Cybersecurity Research Centre.
"In each of these instances, the websites appear to place a priority on advertising practices over data protection and the reality is that given access to any data, people will find a way to use, and potentially misuse it.
"With complex digital supply chains involved in data processing, transferring data from one organisation to another is in effect a case of trusting the security practices continue to align with expectations set when the supply chain vendor relationship was created."
Health websites must prioritise user consent & address data exposure, says ICO
Responding to the blatant sharing of medical information by health websites with third party companies without taking patient consent into account, the Information Commissioner's Office said that healthcare companies have to abide by their responsibility to safeguard health information and must take steps to address risks of data exposure.
"This investigation by the Financial Times further highlights the ICO's concerns about the processing of special category data in online advertising, as well as the role that site owners and publishers play in this ecosystem. Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place," said Simon McDougall, executive director for technology policy and innovation to IT Pro.
"In addition, special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks," he added.
The watchdog said that website visitors must take a clear and positive action to consent to non-essential cookies, that websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies, that users must have control over any non-essential cookies, and that non-essential cookies must not be set on landing pages before users' consent is obtained.
"Any non-essential cookies, including third party cookies used for the purposes of online advertising or web analytics, require prior consent to the GDPR standard. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard," it said.
98% of mental health websites also allowing third parties to track visitors
PI found that a large number of third-party trackers running on mental health websites were owned by either Google, Amazon, or Facebook. While 92.16% of mental health web pages in the UK were running Google trackers, 49.02% were running Facebook's third-party trackers, and 11.76% of such pages were running Amazon Marketing Services.
"We found that three out of nine depression test websites don’t show a cookie banner, even though they are placing third-party cookies. We also found websites that ask for consent, but don’t offer a straightforward option to reject consent," PI said.