Health sites are 'unlawfully' sharing medical data with Facebook and Google

Irish DPC warns that tracking allows sensitive information to be shared with major internet firms

Health-related websites are embedded with third-party trackers and cookies that may be leaking users’ sensitive medical data to internet giants for advertising purposes.

Special category data, such as the details of illnesses or conditions a user may search for on healthcare websites, are being shared with parties such as Facebook and Google, according to the Irish Data Protection Commission (DPC). 

This transfer of data is either done through the use of explicit user profiles of logged-in customers, or through predictive profiles based on unique identifiers. This, a report by the regulator suggests, is being done without a lawful basis.

The DPC refrained from mentioning any particular company but noted a few prominent examples of bad practice. 

Health insurers, for example, were found to use advertising and targeting cookies, including cookies set by the Google-owned DoubleClick. Another health-related site used targeted cookies, with cookies used to send users relevant ads when they visited other sites. 

The Irish DPC conducted a desktop examination of a slither of organisations - 38 in total - to assess whether they were complying with data protection regulations around advertising and user consent.

Each website was examined in a clean browser, and assigned a green, amber, or red rating depending on their level of compliance. Two organisations were awarded a green rating, with one achieving a borderline green to amber rating. While 20 were given an amber rating, three received a borderline amber to red grade, and a staggering 12 achieved red. 

Data controllers in the media and publishing, the banking and finance and health insurance sector had a significant level of third-party trackers, including advertising trackers which track users across the web.

One controller, alarmingly, had 150 third-party trackers as well as dozens of third-party analytics cookies set without consent. 

The Information Commissioner’s Office (ICO), the Irish DPC’s UK counterpart, had previously expressed its deep concerns over reports that some of the most popular health websites were sharing sensitive data with advertisers. 

Related Resource

Feeding the content-data loop

Like data, content must be well-managed, trustworthy, and secure

Download now

A Financial Times (FT) probe of 100 prominent health sites found that tracking cookies are embedded in users’ browsers without explicit consent to allow third-party companies to track users while they surf the web. This data is then transmitted to advertising platforms. 

The ICO has also conducted its own examination of the multi-billion pound adtech industry and published a report in June 2019 highlighting several issues around data protection violations, particularly around the concept of real-time bidding (RTB).

Companies in this space are openly violating standards set out under the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018.

Data rights campaigners have threatened to take the ICO to court, however, over its lack of action given the scale of violations that its investigators have exposed.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Identity Automation launches credential breach monitoring service
phishing

Identity Automation launches credential breach monitoring service

5 Oct 2021
Cellebrite launches industry-first remote data collection solution
data management

Cellebrite launches industry-first remote data collection solution

29 Sep 2021
Akamai to acquire cyber security firm Guardicore
Acquisition

Akamai to acquire cyber security firm Guardicore

29 Sep 2021
Qumulo packages disaster recovery into file management tool
data centres

Qumulo packages disaster recovery into file management tool

22 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
Veritas Backup Exec 21.3 review: Covers every angle
backup software

Veritas Backup Exec 21.3 review: Covers every angle

14 Oct 2021