Health Websites Share Sensitive Personal Data with Advertisers Without Required Consent: Report

By Tom Ozimek
Tom Ozimek
Tom Ozimek
Tom Ozimek has a broad background in journalism, deposit insurance, marketing and communications, and adult education. The best writing advice he's ever heard is from Roy Peter Clark: 'Hit your target' and 'leave the best for last.'
November 13, 2019 Updated: November 13, 2019

Investigative reporters probing alleged misuse of the sensitive data of Europeans found that health websites were illegally sharing people’s information with ad-targeting companies including Google, Amazon, and Facebook.

The personal data shared without users’ explicit consent—a requirement under European data protection laws—includes medical symptoms, diagnostic information, as well as names of drugs.

Reporters at the Financial Times used an analytical tool called WebXray to analyze 100 health websites, including WebMD, Healthline, and Babycentre, according to an article headlined “How top health websites are sharing sensitive data with advertisers.”

The FT’s investigation found that 79 percent of the sites installed “cookies” on users’ computers without consent. In Europe, it is a legal requirement for websites to seek explicit consent to install chunks of code that allow third-party companies to track people’s online activity.

Computer scientist Tim Libert, who created the open-source tool WebXray that the FT used in its investigation, told the publication that the problem is that companies could use medical information to prey on the ill and vulnerable.

“There is a whole system that will seek to take advantage of you because you’re in a compromised state. I find that morally repugnant,” Libert told the FT.

He said people profiled on the basis of their assumed medical condition might face discrimination.

“As medical expenses leave many with less to spend on luxuries, these users may be segregated into ‘data silos’ of undesirables who are then excluded from favorable offers and prices,” Libert told the FT. “This forms a subtle, but real, form of discrimination against those perceived to be ill.”

Data Protection in Europe

In May 2018, the EU adopted the General Data Protection Regulation (GDPR), which subjects online marketers to tighter constraints.

Under the new rules, advertisers are prohibited from sharing “special category” data without explicit consent, in which the user is informed how their sensitive data will be used and by whom.

According to the British Information Commissioner’s Office, an independent authority set up to uphold information rights in the public interest, “special category” data “is more sensitive, and so needs more protection.”

“There are 10 conditions for processing special category data in the GDPR itself, but the Data Protection Act 2018 introduces additional conditions and safeguards,” the agency said.

The agency notes that “special category” data includes the following: race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life, or sexual orientation.

“In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination,” it notes.

The FT wrote in its report that none of the websites tested asked for the type of explicit and detailed consent required under law.

Privacy International

The report follows the earlier findings of data privacy advocacy group Privacy International, which reviewed the data gathering habits of 136 popular mental health web pages in France, Germany, and the UK.

In a publication titled “Your Mental Health for Sale,” the group noted its findings that the mental health websites examined shared users’ sensitive personal data with advertisers without the required consent.

The sensitive data tracked and shared with third-party marketers includes information from depression websites and the results of online mental health check tests.

“Our findings show that many mental health websites don’t take the privacy of their visitors as seriously as they should,” Privacy International wrote in its report. “This research also shows that some mental health websites treat the personal data of their visitors as a commodity, while failing to meet their obligations under European data protection and privacy laws.”

Regulators Probe Google-Ascension Deal

A U.S. federal regulator has initiated an investigation into a cloud computing deal between Alphabet Inc’s Google and Ascension Health, which would give Google access to detailed health information of millions of patients, The Wall Street Journal reported on Tuesday.

The Office for Civil Rights in the Department of Health and Human Services will look into the data collection to ensure the partnership is in compliance with the Health Insurance Portability and Accountability Act (HIPAA) which safeguards medical information, the Journal said.

On Monday, Google said patient data “cannot and will not be combined with any Google consumer data.”

Hours after the secret project was revealed, the two companies announced the collaboration in a press release, in which they said the joint project would see Ascension’s data moved onto Google’s Cloud platform.

The partnership will explore artificial intelligence and machine learning applications to help improve clinical quality and effectiveness, patient safety, and increase consumer and provider satisfaction, according to the statement.

Tariq Shaukat, President of Google Cloud, said, “By working in partnership with leading healthcare systems like Ascension, we hope to transform the delivery of healthcare through the power of the cloud, data analytics, machine learning, and modern productivity tools—ultimately improving outcomes, reducing costs, and saving lives.”

Ascension also said that its work with Google had been compliant with the Health Insurance Portability and Accountability Act 1996 (HIPAA) and “underpinned by a robust data security and protection effort and adherence to Ascension’s strict requirements for data handling.”

Reuters contributed to this report.

Tom Ozimek
Tom Ozimek
Tom Ozimek has a broad background in journalism, deposit insurance, marketing and communications, and adult education. The best writing advice he's ever heard is from Roy Peter Clark: 'Hit your target' and 'leave the best for last.'