Most health-related websites send data to third parties

By Jonah Comstock

Asking "Dr. Google" about a medical problem isn't just a questionable way to get good answers -- it's also a potential security risk, according to research by Tim Libert, a University of Pennsylvania doctoral student, who was recently featured on NPR's All Tech Considered.

search engine graph

"Anything that is happening on the web today is pretty much completely unregulated," Libert told NPR's Robert Siegel. "There's really no oversight and there's no real standards either. Companies aren't required to encrypt the information to keep it in a secure place. And we've also been seeing a lot lately that this is of interest to criminals, so there is additional kind of worry that not only is it not protected by HIPAA -- it's not really protected at all."

Libert performed web searches for nearly 2,000 health conditions and used those searches to generate a list of more than 80,000 websites health searchers might visit. He found that 91 percent of those pages had something on the page that would alert a third party about the user's visit. The third party would know the user's IP address and the search term that brought them to the page, so they could connect the online search behavior to individuals.

"There's actually companies that sell lists of people who have different diseases or symptoms," Limbert told NPR. "There's been some kind of chilling cases: [There were] companies selling lists of people who had been raped or people who had AIDS. So there's a market for this stuff."

Most data-collectors are advertisers, Libert writes, but some are data brokers who will sell their lists to others. Specifically, 78 percent of the third-party requests he tracked came from Google, through various services like Google Analytics and Google AdView. The next two most prevalent companies were comScore and Facebook at 38 percent and 31 percent respectively; Facebook collects data from any site with a Facebook "Like" button, whether the user chooses to click it or not.

Experian and Acxiom are the two data brokers Libert was able to identify, though they only collected data from 5 percent and 3 percent of pages, respectively. Adobe and Amazon also made it in the top 10.

In the past, the Pew Research Center has found that 72 percent of internet-using adults have gone online looking for health information, and 80 percent of those searches start at a search engine like Google.