UK regulator to assess claims that UK health websites shared users’ sensitive data with third parties

An investigation by the Financial Times found popular sites disclosed personal information to third-party companies.
By Tammy Lovell
11:28 AM

UK data protection regulator, the Information Commissioner’s Office (ICO), is assessing a  Financial Times (FT) investigation which claimed UK health websites share people’s sensitive data with third party companies.

The FT study, which used open-source tools to analyse 100 health websites, found 79% dropped cookies allowing third-parties to track individuals around the internet, without the consent legally required in the UK.

According to the report, sites such as WebMD, Healthline, Babycentre and Bupa, shared medical symptoms, menstrual and fertility information, diagnoses and drug names, with companies, including Google, Amazon, Facebook and Oracle.

Simon McDougall, the ICO’s executive director for technology policy and innovation, said the regulator “will be assessing the information provided by the FT before considering our next steps.”

Meanwhile, Facebook also said it was investigating the FT’s claims. “We don’t want websites sharing people’s personal health information with us — it’s a violation of our rules, and it doesn’t benefit us or people using Facebook. We’re conducting an investigation and will take action against sites in violation of our terms,” a spokesperson said.

Amazon and Google also denied using sensitive health data to build advertising profiles. Bupa told Healthcare IT News that although it used cookies on its site, it did not share visitors’ health information with third parties.

Oracle, Babycentre, Healthline and WebMD had not responded to requests for comment at the time of publication.

WHY IT MATTERS

Health information requires greater protection under UK data protection laws which because of its sensitivity and the increased risk of harm to or discrimination against individuals. 

The healthcare industry has faced multiple challenges complying with the EU’s General Data Protection Regulation (GDPR), which came into force in May 2018.

Bupa and Healthline both told Healthcare IT News they do not share visitors’ health information with third parties. Oracle, Babycentre, and WebMD had not responded to requests for comment at the time of publication. 

THE LARGER CONTEXT

A recent study by the charity Privacy International, raised concerns that popular health websites in Europe routinely share users’ mental health information with advertisers, data brokers and large tech companies.

In April, the ICO fined pregnancy and parenting club Bounty UK £400,000, after an investigation found it unlawfully shared the personal information of more than 14 million people with organisations, including credit reference and marketing companies.

ON THE RECORD

Dr Saif F Abed, founding partner and director of cybersecurity firm, AbedGraham, said:

“What I find disturbing, though unfortunately not surprising, is that unique identifiers are seemingly being shared along with the health data itself. Not only is this without informed consent but creates a situation where large scale data breaches could effectively occur somewhere down the line depending on how far this data is shared and with which third parties.”