79% of health websites are sharing patient information with third parties

A vast majority of health websites are sharing sensitive medical information of people with technology companies such as Google, Facebook, and Amazon as well as with a large number of adtech companies and data brokers, an investigation by FT has found.

Based on an investigation of a hundred health websites such as WebMD, Healthline, Bupa, and Babycentre, Financial Times found that 79 percent of these websites are allowing third party firms to plant cookies and harvest vast amounts of information such as medical conditions, fertility and menstrual information, symptoms, diagnoses, and prescriptions.

FT noted that such harvesting of medical information from health websites is in direct violation of Europe's General Data protection Regulation (GDPR) as third party companies are not obtaining the consent of visitors to health websites before harvesting their sensitive medical information.

YOU MAY ALSO LIKE:

"Consent and awareness are key principals of privacy, and there’s nothing more private than one’s healthcare information. The presumption health websites have in sharing data with advertisers is that the person investigating the health concern is in fact in the market for some remedy. Presumption is not consent and isn’t an invitation to share information with third parties," says Tim Mackey, Principal Security Strategist for Synopsys Cybersecurity Research Centre.

"In each of these instances, the websites appear to place a priority on advertising practices over data protection and the reality is that given access to any data, people will find a way to use, and potentially misuse it.

"With complex digital supply chains involved in data processing, transferring data from one organisation to another is in effect a case of trusting the security practices continue to align with expectations set when the supply chain vendor relationship was created."

Health websites must prioritise user consent & address data exposure, says ICO

Responding to the blatant sharing of medical information by health websites with third party companies without taking patient consent into account, the Information Commissioner's Office said that healthcare companies have to abide by their responsibility to safeguard health information and must take steps to address risks of data exposure.

"This investigation by the Financial Times further highlights the ICO's concerns about the processing of special category data in online advertising, as well as the role that site owners and publishers play in this ecosystem. Under data protection law, organisations have to ensure that their processing is fair, lawful and transparent and that appropriate security is in place," said Simon McDougall, executive director for technology policy and innovation to IT Pro.

"In addition, special category data – such as health information – requires greater protection because of its sensitivity and the increased risk of harm to or discrimination against individuals. Organisations have to recognise this and take additional steps to address these risks," he added.

In a blog post published in July this year, the ICO told organisations based in the UK that the arrival of GDPR signaled the end of implied consent for the use of cookies on their websites.

The watchdog said that website visitors must take a clear and positive action to consent to non-essential cookies, that websites and apps must tell users clearly what cookies will be set and what they do – including any third party cookies, that users must have control over any non-essential cookies, and that non-essential cookies must not be set on landing pages before users' consent is obtained.

"Any non-essential cookies, including third party cookies used for the purposes of online advertising or web analytics, require prior consent to the GDPR standard. Statements such as ‘by continuing to use this website you are agreeing to cookies’ is not valid consent under the higher GDPR standard," it said.

98% of mental health websites also allowing third parties to track visitors

The revelation about health websites sharing detailed patient information with third party companies is not the first time that such activities have been reported since the arrival of GDPR. Earlier this year, Privacy International alleged that 98% of Europe's most-visited mental health websites that offered help to patients of depression contained third-party cookies, third-party JavaScript or images hosted on third-party servers, allowing third party firms to track visitors for advertising and marketing purposes.

Privacy International found that as many as 97.78 percent of these websites contained either third-party cookies, third-party JavaScript or images hosted on third-party servers. Alarmingly, 76% of the 136 websites were found containing third-party trackers for marketing purposes and among mental health websites in the UK, the proportion rose visibly to 86.27%.

PI found that a large number of third-party trackers running on mental health websites were owned by either Google, Amazon, or Facebook. While 92.16% of mental health web pages in the UK were running Google trackers, 49.02% were running Facebook's third-party trackers, and 11.76% of such pages were running Amazon Marketing Services.

It also observed that mental health websites in general placed a large number of third-party tracking cookies in their pages even before visitors were able to give or deny their consent to the use of cookies. An average mental health web page in the UK used 12.24 third-party tracking cookies while one in France used an alarming 44.49 cookies.

"We found that three out of nine depression test websites don’t show a cookie banner, even though they are placing third-party cookies. We also found websites that ask for consent, but don’t offer a straightforward option to reject consent," PI said.

MORE ABOUT: