WebMD’s website has numerous features that transmit health information: both generic information about specific health conditions and symptoms, and personal health information linked with a user account that has identifying user details.

Anytime someone is accessing or transmitting medical content online – whether generic or linked with their user account – there’s no question that the information should be secure and encrypted with HTTPS to prevent others intercepting a network connection (e.g. on a public wi-fi network at a café or airport, or your employer) from discovering your medical symptoms, conditions, and medications.

Unfortunately, WebMD does not use HTTPS most anywhere on its site except when a user actually signs up or logs into the site. And once the user is logged in, the site sends them right back to unencrypted HTTP.

Even though a user may sign up using a pseudonymous username, they are still prompted for their email address, first name, last name, a profile photo, and ZIP Code, all of which can be personally identifying to others.

Writing a post on WebMD’s condition-specific forums? Well, anyone monitoring or intercepting network traffic now knows that you have the condition, along with anything you write or have written in the past:

Entering an HIV medication in WebMD’s medication tracker? Well, anyone monitoring the network now knows that you’re HIV Positive:

As mentioned, WebMD does use HTTPS (TLS/SSL) to encrypt the sign up, authentication (login), and account management pages. However, if a site allows a user to continue onto unencrypted HTTP pages after authenticating as WebMD does, their work is for naught: a user’s session data sent over HTTP can be easily be hijacked and someone across a café or airport could now continue using WebMD’s site as you, and see anything that you could see.

Even the more generic portions of WebMD’s site, like informational pages about specific conditions or the WebMD Symptom Checker use insecure HTTP. Although those are not tied to a specific user account unless logged in, it’s still insecurely transmitting information about your specific medical symptoms and conditions, and that’s not okay.

This HTTP Shame was submitted by John, who writes in below to share his email to WebMD, and their oh-so-typical we-take-your-privacy-seriously message, which is affirmatively and provably false.

As seen in WebMD’s response, they encourage users not to post identifying information, but fail to think about users that – as said previously – might be using WebMD on a public network at a café or airport, or the case where an employer may be monitoring employee internet traffic. Workplace medical discrimination does happen, and WebMD is in the wrong here.

WebMD should switch to using entirely HTTPS across their entire site with long-duration HSTS and session cookies set with the ‘Secure’ flag to ensure that all data in transit is encrypted, authenticated user sessions only happen over HTTPS, and that users are on the authentic WebMD site.

John’s comment to WebMD Customer Care Team:

WebMD asks me (via e.g. the Symptom Checker) to transmit private health information over the internet. I’m comfortable with sharing this information with WebMD, but not with unrelated third parties such as my internet service provider or strangers connected to the same wireless network. Most sites in this situation offer access via a secure connection (HTTPS) in order to prevent third parties from viewing sensitive information. Wikipedia is a good example of this: https://www.wikipedia.org/ When I try to access WebMD via a secure connection, however— https://www.webmd.com/

https://symptoms.webmd.com/ —it returns an “Error 404” or “Access Denied” error message. How can I access WebMD privately? Thank you, John

Response from WebMD: