NHS websites routinely give people’s health secrets to Google and Facebook without users’ consent, an investigation has found.
The tech giants collect users’ browsing habits and use the information to build detailed profiles for each visitor, which they can use to target advertisements.
The pages viewed likely indicate the medical conditions a patient is living with, such as cancer, gambling addiction or more intimate problems such as erectile dysfunction, researchers say.
If accessed on the same computer used to access social media accounts, ‘Big Tech’ could even build a full picture of the user, including name, age and address.
Websites track users’ browsing habits by placing cookies, or identifiers, on their computers as they browse the Internet.
Big Tech companies like Google and Facebook collect users’ browsing habits and use the information to build detailed profiles for each visitor. This can be used for advertising
Under data protection law, websites must inform users that they and third parties are placing these files on their computers and give them the opportunity to opt-out. Usually this comes in the form of a pop-up window asking them to ‘accept cookies’, something that has become increasingly familiar and frustrating for millions.
But new research from digital agency 7DOTS shows that most healthcare providers in Britain are breaching these regulations.
The company searched public data from the Care Quality Commission and queried the websites of more than 3,500 registered organisations, such as hospitals, clinics and GP practices.
We then checked whether these sites allowed visitors to opt out of tracking and whether these requests were honored.
Analysis showed that 59 percent of websites did not comply with the General Data Protection Regulation (GDPR).
Under data protection law, websites must inform users that they and third parties are placing these files on their computers and give them the opportunity to opt-out. Usually this comes in the form of a pop-up window asking them to ‘accept cookies’ (file image)
Even among the 219 providers that used reputable cookie consent management platforms, 63 percent ignored opt-out requests.
Researchers pointed the finger at web editors who failed to properly configure their sites, rather than something nefarious, but still expected sensitive health issues to be handled more carefully.
Google Analytics cookies were found on 77 percent of non-compliant sites. Other common vendors included Facebook, Google and YouTube.
The GDPR imposes strict rules on organizations and is intended to guarantee responsible handling of personal data.
But 7DOTS said the “widespread failure to comply” raises “significant concerns” about the protection of patient data.
It also leaves website owners at risk of hefty fines, even though many will be unaware there is a problem, it added.
Cori Crider, director of tech justice group Foxglove, said: ‘Mistakes like this are the reason people don’t always feel safe sharing their health data for the good of the NHS.
‘The NHS urgently needs to make better use of data, but the only way that will ever work is if all parts of healthcare stop passing the trust test.
“Patients want their private information to be private — and that means keeping companies like Google out.”
Sam Smith, of privacy campaign group medConfidential, said: ‘It’s bad enough that healthcare providers want to stalk their patients (but) it is indefensible that this is happening to CQC-registered healthcare providers, even if patients refuse.’
The research found that there are wide variations in compliance depending on the type of service offered.
Rehabilitation and substance abuse centers had the highest non-compliance rate at 92 percent, while 55 percent of primary care practices were deficient, as were 52 percent of hospitals.
Nick Williams, director at 7DOTS, said: ‘The results of our research show a worrying lack of compliance among healthcare providers.
‘This raises important questions about the security of patient and other website visitor data.
‘This has particular implications given the sensitivities within this sector and the need for patient privacy, particularly for more vulnerable patients such as those in resource recovery centres.’
He added: ‘Many healthcare providers will not be aware that they even have a problem as the website building will have been done by external providers.
‘But providers could face fines from the Information Commissioner’s Office and risk undermining customer trust if companies like Google and Meta use non-compliant data to create advertising audiences and target customers with unsolicited and inappropriate communications.’
A spokesperson for the Information Commissioner’s Office said: ‘People have the right to expect that organizations will handle their information securely and that it will only be used for the purpose they have been told.
‘Organizations must provide users with clear and comprehensive information when using cookies and similar technologies, especially when sensitive personal information is involved.
“Users should ensure their choices are respected if they opt out of tracking or withhold their consent.”
An NHS spokesperson said: ‘NHS trusts and GP practices are responsible for their own websites and they must follow data protection legislation in relation to the use of cookies on their websites.
‘The NHS is investigating this matter and will take further action if necessary.’
Facebook and Google, which also owns YouTube, said their rules do not allow companies to target ads to users based on their medical conditions.
But 7DOTS said the NHS and other healthcare providers can use the information collected by the cookies to target ads to people who have previously visited their website.
Allowing a website owner to target someone based on the page previously visited is different from allowing a company to pay to target people based on their medical condition.
But this can still cause embarrassment or violate someone’s privacy if the ads are seen by other people using the same computer or mobile device.