Third parties receive personal health information from more than 90 percent of visits to health-related websites, according to research to be published in the March 2015 issue of Communication of the ACM.
For the study, Timothy Libert, a doctoral student at the University of Pennsylvania's Annenberg School for Communication, examined the top 50 search results for close to 2,000 common diseases, which resulted in slightly more than 80,000 unique pages. Researchers found third-party HTTP requests in 91 percent of those pages.
What's more, in 70 percent of those requests, information on specific conditions, treatments and diseases was present.
"Personal health information--historically protected by the Hippocratic Oath--has suddenly become the property of private corporations who may sell it to the highest bidder or accidentally misuse it to discriminate against the ill," Libert said in an announcement touting the research. "As health information seeking has moved online, the privacy of a doctor's office has been traded in for the silent intrusion of behavioral tracking.
Libert called the problem "complex" but not impossible to remedy.
"There is no reason for non-profits, educational institutions or government-operated sites to be leaking sensitive information to commercial parties," he said. "While ad-revenue keeps commercial sites running, non-profits gain support from donors and grants. Fixing this situation could be as simple as an internal policy directive on a per-institution basis, or as expansive as adopting language which would deny funding to institutions which leak user data."
Last month, the Associated Press reported that the federal health insurance exchange was sending personal data on its users--including age, income, ZIP code and various health conditions--to third-party sites. In a letter to U.S. Department of Health and Human Services Secretary Sylvia Mathews Burwell shortly after that report was published, lawmakers demanded action from the Centers for Medicare & Medicaid Services.
"Instead of making decisions piecemeal, after problems have been discovered, CMS should have a standard protocol that protects consumer privacy," the letter said.