NHS websites routinely hand over people’s health secrets to companies such as Google and Facebook without users’ consent, an investigation has revealed.
Tech giants are collecting users’ browsing habits and using the information to create detailed profiles for each visitor, through which they could target ads.
Researchers say page views likely indicate the medical conditions a patient is experiencing, such as cancer, gambling addiction, or more intimate problems like erectile dysfunction.
If visited on the same computer used to access social media accounts, it would even allow ‘Big Tech’ to create a complete picture of the user, including name, age and address.
Websites track users’ browsing habits by placing cookies or identifiers on their computers while they browse the Internet.
Big tech companies like Google and Facebook are collecting users’ browsing habits and using the information to create detailed profiles for each visitor. This can be used for advertising.
Under data protection laws, websites must inform users that they and third parties are placing these files on their computer and give them the opportunity to opt out. This usually comes in the form of a pop-up box asking them to “accept cookies”, something that has become increasingly familiar and frustrating to millions.
But new research by digital agency 7DOTS found that the majority of health and social care providers in the UK are breaching these regulations.
The company searched the Care Quality Commission’s public records and interrogated the websites of more than 3,500 registered organisations, such as hospitals, clinics and GP surgeries.
It then checked whether these sites gave visitors the option to opt out of tracking and whether they honored these requests.
The analysis revealed that 59 percent of websites were not compliant with the General Data Protection Regulation (GDPR).
Under data protection laws, websites must inform users that they and third parties are placing these files on their computer and give them the opportunity to opt out. This is usually in the form of a pop-up box asking them to “accept cookies” (stock image).
Even among the 219 vendors that used reputable cookie consent management platforms, 63 percent ignored opt-out requests.
The researchers pointed the finger at web publishers who didn’t set up their sites properly, rather than anything nefarious, but still hoped that sensitive health issues would be treated more carefully.
Google Analytics cookies were found on 77 percent of non-compliant sites. Other common providers were Facebook, Google, and YouTube.
GDPR imposes strict rules on organizations and is designed to ensure the responsible handling of personal data.
But 7DOTS said the “widespread failure to comply” raises “significant concerns” about protecting patient data.
It also leaves website owners at risk of heavy fines, although many will not realize there is a problem, he added.
Cori Crider, director of tech justice group Foxglove, said: “These types of errors are why people don’t always feel safe sharing their health data for the good of the NHS.”
‘The NHS urgently needs to use data better, but the only way for that to work is for all parts of the health service to stop failing the trust test.
“Patients want their private records to be private, and that means keeping companies like Google out.”
Sam Smith, of privacy campaign group medConfidential, said: “It’s bad enough that providers wanted to mislead their patients.” [but] It is indefensible that this is happening to CQC registered providers, even when patients reject it.’
The research found widespread variation in compliance depending on the type of service offered.
Substance abuse and rehabilitation centers had the highest non-compliance rate at 92 per cent, while 55 per cent of GP surgeries did not meet expectations, as did 52 per cent of hospitals .
Nick Williams, director of 7DOTS, said: “The results of our study reveal a worrying lack of compliance among healthcare providers.
‘This raises important questions about the protection of data of patients and other website visitors.
“This has particular implications given the sensitivities within this sector and the need for patient privacy, particularly for the most vulnerable patients, such as those in substance recovery facilities.”
He added: “Many healthcare providers will not even realize they have a problem as the creation of the website will have been carried out by external providers.”
“But providers could face fines from the Information Commissioner’s Office and risk eroding customer trust if companies like Google and Meta use non-compliant data to create advertising audiences and target customers with unsolicited and inappropriate communications. “.
A spokesperson for the Information Commissioner’s Office said: ‘People have a right to expect that organizations handle their information securely and that it is only used for the purpose they are told.
‘Organizations must provide clear and complete information to users when using cookies and similar technologies, especially where sensitive personal information is involved.
“Users’ choice must be respected when they opt out of tracking or when they withhold consent.”
“The NHS is investigating this matter and will take further action if necessary.”
Facebook and Google, which also owns YouTube, said their rules do not allow companies to target ads to users based on their medical conditions.
But 7DOTS said the NHS and other healthcare providers could use the information collected by cookies to target ads to people who have previously visited their website.
Allowing a website owner to target someone based on them having previously visited their page differs from allowing any company to pay to target people based on their medical condition.
But this could still cause embarrassment or violate someone’s privacy if the ads are seen by other people using the same computer or mobile device.