We’ve all done it. That moment of panic where you discover something slightly off with your body and take to the Internet for self-diagnosis. Strange rash? WebMD. Too much or too little bodily fluids? Medline Plus. Insect bite that looks like you might be in the beginning stages of growing another limb? Health.com.
Online symptom searching may seem benign, but could pose a threat to privacy, says University of Southern California-Los Angeles and Duke business school researcher Marco Huesch. Using interception software, Huesch looked at 20 leading health sites and found that seven of them leaked search terms to third-party trackers, including those listed above. Five also had social media tracking plug-ins. And there’s little doubt that "herpes" is a popular search term.
Third-party tracking is pretty much a given in the commercial space—and bundling data about purchases allows advertisers to target ads specifically to your online habits. In 2012, the Wall Street Journal published an analysis showing that 75% of "top websites" had code from social media sites (like a Facebook "like" button) that could link identities to web histories. But Huesch believes health data is another matter entirely. While third-party trackers take data just anonymous enough to avoid punishment under the Health Insurance Portability and Accountability Act (HIPAA), which is meant to keep private health information private and secure, he wonders how that information is sold, and what would happen if it got into the wrong hands.
"If you gather such data together with a unique identifier—date of birth, social security number, then you better believe HIPAA comes down on you like a brick building," Huesch says. "But the loophole here is that they’re gathering data, but maybe it’s grouped with other people with the same zip code. You could imagine that you could re-identify the data with a moment’s effort."
This isn’t the first time that physicians have raised concerns about patient data privacy. In 2010, social networking health site PatientsLikeMe found that it was subject to data scraping by Nielsen’s automated data collection tool. Nielsen dropped the practice after the tracking was made public, but patients are vulnerable in ways they can’t even control. In June, Bloomberg News reported that at least 26 states sell patient hospitalization data to health care information services companies, a multi-billion dollar business which in turn helps pharmaceutical companies microtarget ads.
Huesch says that he’d really only need six data points to tie an IP address to a name. And let’s say you’re depressed and look up the symptoms online—Huesch wonders if you wouldn’t be served life-insurance ads. Worse, what would happen if an employer found out? "This data has the potential to affect your future life," Huesch says. 'Imagine if some website bought STD data. You could imagine it could really have the potential to really crimp your style."
Instead, Huesch is pursuing his research with the goal of getting legislators to beef up HIPAA with online privacy amendments, similar to protection afforded to citizens by the EU. He’s also working with USC doctors and lawyers on a study that analyzes data bought from thousands of email addresses. "I have no anti-business bias here. I just want people to have some transparency and some protections," Huesch explains. "I think we should have legislation that governs what happens to data," he added. "It’s a Wild West."