WebMD, Healthline, Babycentre and Bupa are capturing sensitive data—such as medical problems and symptoms, drugs that are being taken, and menstrual cycles—and passing it on for targeted advertising campaigns.
The sites are capturing the data without permission, even though it is a legal requirement in the UK and Europe to do so, by using 'cookies' that monitor activity, an undercover investigation by the Financial Times has revealed.
Drug names that were entered into the website, Drugs.com, were passed to Google's advertising arm, DoubleClick, while queries about heart disease that were keyed into the British Heart Foundation, Bupa and Healthline sites were sent on to specialist online advertising firms such as Scorecard and OpenX.
With the data from the cookies—pieces of code that are embedded on people's browsers—Google and the others can follow the person around the internet, and he will suddenly start seeing online advertisements about his condition or drugs for the problem.
Of the hundred health sites the FT analysed, 78 were passing on the data to DoubleClick, and 48 were also sending medical information to Amazon.
"This kind of data is clearly sensitive, has special protection and transmitting this data most likely violates the law," said Wolfie Christl, a researcher.