If you’re using any of the Top 100 health websites in the world, there’s a good chance that sensitive medical data and identifying personal information could be shared with tech firms, advertisers and data brokers without your knowledge or consent. In the UK, the Financial Times recently conducted an investigation into 100 popular health websites – including WebMD, Healthline, Bupa and BabyCentre – to see what kind of data they were collecting from users and then sharing with third parties. As it turns out, 79% of these websites used web cookies to track users and then shared that information with third-party advertisers. And not one of these websites asked for the explicit consent of users to do this, a practice that is currently illegal under European privacy laws due to the sensitive nature of medical data.

Results of the FT investigation into health websites

As the Financial Times points out, there is nothing wrong with health websites using cookies, and there is nothing wrong with health websites using any data gleaned from those cookies to optimize overall website performance. That’s not the issue. The problem is that this web cookie data is then shared with advertisers and big tech firms like Google, Amazon and Microsoft, not to mention data brokers and smaller ad tech firms like ScoreCard, OpenX and AppNexus that nearly nobody has ever heard of.

Under the terms of the European General Data Protection Regulation (GDPR), medical information is classified as “special category” data and is considered to be much more sensitive than other data. As a result, medical data automatically triggers the need for companies to ask for the explicit consent of users if they plan to share it with third parties. In asking for this explicit consent, they must disclose what data they are collecting, with whom they are sharing it, and for what purpose.

And, as the Financial Times found, health websites are doing a spectacularly bad job of complying with this rule. While these websites might ask for general consent to use cookies, not one of them discloses that this tracking data might be shared with third parties, or bothers to ask for consent. In some cases, it means that potentially sensitive medical data is being shared with a vast ecosystem of advertisers and data brokers, all without the knowledge of the user.

During the investigation, the Financial Times found that health information search terms like “drug overdose” and “abortion” were routinely being shared with third parties. Moreover, the Financial Times identified several different classes of medical data that were being shared with these firms, including medical diagnoses, symptoms, prescriptions, names of specific drugs and even menstrual and fertility data. The most active third parties gaining access to this medical data were Google (via its DoubleClick online advertising unit), Amazon, Facebook and Microsoft. 78% of health websites, in fact, share medical data with DoubleClick, and another 48% of health websites share medical data with Amazon.

Big tech firms, medical data and online advertising

The natural question becomes: Why exactly are these big tech firms looking to acquire this medical data? The easiest answer, of course, is that this medical data becomes another way for these firms to serve up targeted ads to users. Presumably, if Google knows that you have been searching for “heart disease symptoms,” it will be able to serve up targeted ads to match. That would help to explain why DoubleClick was the No. 1 biggest culprit in this medical data scandal involving health websites sharing sensitive data.

Yet, Google says that it is not doing this. In response to the FT conducting an investigation, it says that all health websites are marked “sensitive” internally, which means that data collected from them cannot be used for personalized advertisements. However, Google does acknowledge that its advertising audience could use this medical data for contextual purposes. What this means in practical terms is that any programmatic ad exchange operated by Google would have a way to signal to advertisers, “Hey, there’s someone on a website for mental health right now, do you want to show them an ad?” That’s creepy, but not nearly as creepy as if Google were assisting these advertisers in creating detailed personal profiles of users that includes mental health data.

And, as might be expected, nearly everyone implicated in this Financial Times investigation found a way to excuse their behavior, or to claim that they had safeguards in place preventing advertisers from seeing this data. Some health websites said that all medical data was pseudonymized or anonymized, such that it couldn’t be linked back to a specific person. Other websites said they might collect data, but did not share any “sensitive data” with third parties. This “sensitive data” excuse is especially important, given that it automatically triggers the need to ask for a user’s explicit consent.

Other uses for medical data from health websites

However, online advertising is hardly the only possible use for this medical data. Take Google, for example. The company has been expanding aggressively into the health data space recently, making plans to acquire Fitbit for $2.1 billion, and signing health data partnership deals everywhere it can. Google has a deal in place with Ascension, the No. 2 health system in the United States, in order to obtain access to 50 million patient records.

Google says that it is not gaining access to this medical data in order to serve up targeted ads. Instead, it says that it will be using this medical data to “transform healthcare” by deploying it to train machine learning and AI algorithms. This use of the medical data, Google argues, falls within the allowable uses under the landmark 1996 Health Insurance Portability and Accountability Act (HIPAA), which establishes clear “red lines” as to how personal health data can be shared with third parties without the need to obtain explicit consent of the patient.

Investigation into 100 popular #health website shows that 79% are sharing web cookie data with #advertisers. #respectda Click to Tweet

Medical data as the next big regulatory front

Heading into 2020, medical data is shaping up to be the next big regulatory battleground. Until recently, big tech firms might have provided software and IT support to healthcare providers, but they did not actively use any medical data for other commercial purposes. So this Financial Times investigation should be a wakeup call: it’s clear the biggest tech firms in the world – including Google, Amazon and Facebook – are pushing aggressively into the healthcare space and looking for loopholes and exceptions to use any medical data they can find or acquire in order to fuel their own business and commercial ambitions.