WebMD and Healthline Exposed Violating Your Privacy

Analysis by Dr. Joseph Mercola Expert Review by Maryam Henein Fact Checked

medical data sharing

Story at-a-glance -

  • Dozens of popular health websites are tracking, storing and sharing your personal data without explicit consent, including WebMD (the leading health website) and Healthline (currently the third most popular health site)
  • Of 100 health websites, 78% shared user data with DoubleClick, Google’s advertising arm, while 48% shared data with Amazon. Facebook, Microsoft and AppNexus, another advertising firm, also received user data
  • This kind of information sharing is illegal in Europe. The EU’s General Data Protection Regulation requires websites to request and obtain explicit consent for the sharing of “special category data,” which includes health data
  • Google claims it does not build advertising profiles from sensitive data and does not permit advertisers to use such data to target ads, yet if not used for advertising, what is the health data being used for, and why is it collected and shared in the first place?
  • A report by the data privacy advocacy group Privacy International revealed mental health websites are also sharing sensitive personal data with third parties without the consent required under EU law. Some websites shared data with third parties in HTTP rather than HTTPS, which means the data, which contains unique identifiers, is susceptible to interception by hackers as well

As reported in a November 12, 2019, Financial Times article,1 dozens of popular health websites are tracking, storing and sharing your personal data, including WebMD (the leading health website) and Healthline (currently the third most popular health site2).

These two websites also, as of this year, dominate Google health searches, which virtually guarantees their continued growth and influence. “Establishment, big corporate pharma websites like WebMD are monopolizing the first page of results,” Google Whistleblower Zach Vorhies confirmed in an interview with The Epoch Times.3

I wrote about how these two websites use and share your data in my November 8, 2019, article “Shocking Proof How Google Censors Health News.” I’ve also covered this issue in other articles, so the Financial Times’ report came as no surprise to me.

What some might not know is that this kind of information sharing is illegal in Europe. As reported by Financial Times:4

“Using open-source tools to analyse 100 health websites, which include WebMD, Healthline, Babycentre and Bupa, an FT investigation found that 79 per cent of the sites dropped ‘cookies’ — little bits of code that, when embedded in your browser, allow third-party companies to track individuals around the internet. This was done without the consent that is a legal requirement in the UK.”

Seventy-eight percent of the sites shared user data with DoubleClick, Google’s advertising arm, while 48% shared data with Amazon. Facebook, Microsoft and AppNexus, another advertising firm, also received user data.

What this means is DoubleClick, Google’s ad service, will know which prescriptions you’ve searched for on these websites, thus providing you with personalized drug ads, and Facebook will know what you’ve searched for in WebMD’s symptom checker, as well as any diagnoses you received.

European Law Is Unambiguous and Far Stricter Than the US

According to Financial Times,5 “keywords such as ‘heart disease’ and ‘considering abortion’ were shared” from several sites, including Healthline, and eight of the 100 sites tested included specific identifiers that allow third parties to tie the information to specific individuals. Tracker cookies were also dropped without consent or before any consent was given.

The following graphic, created by Financial Times, illustrates the flow of data from BabyCenter.com, a site that focuses on pregnancy, children’s health and parenting, to third parties, and the types of advertising these third parties then generate.

user data sent to third parties

Wolfie Christl, a technologist and researcher, told Financial Times: “These findings are quite remarkable, and very concerning. From my perspective, this kind of data are clearly sensitive, has special protections under the [General Data Protection Regulation] and transmitting this data most likely violates the law.”

Phil Smith, director-general of the U.K.s Incorporated Society of British Advertisers told Campaignlive.com7 that the EU’s General Data Protection Regulation — which was implemented in May 2018 — is unambiguous and straight-forward: Websites must request and obtain “explicit consent for the sharing of ‘special category data,’” which includes health data.

Other special category data considered to be particularly sensitive and needing explicit consent to be shared include race, ethnic origin, political persuasion, religious affiliation, trade union membership, genetics, biometrics, sexual orientation and details relating to your sex life.

Weeding Out ‘Undesirables’ 

In response to Financial Times’ report, Google said it “does not build advertising profiles from sensitive data,” and that it has “strict policies preventing advertisers from using such data to target ads."8 Well, if it’s not being used to personalize medical ads, what is the health data being used for, and why is it collected and shared in the first place?

According to Tim Libert, a computer scientist at Carnegie Mellon University who developed the open-source tool Financial Times used to investigate the information sharing, medical information can be used to “prey on the ill and vulnerable.”9 Health data can also be used to secretly discriminate against certain individuals. As noted by Libert:10

“As medical expenses leave many with less to spend on luxuries, these users may be segregated into ‘data silos’ of undesirables who are then excluded from favorable offers and prices. This forms a subtle, but real, form of discrimination against those perceived to be ill.”

Your Mental Health Data Is Also Shared

A September 3, 2019, report11 by the data privacy advocacy group Privacy International revealed mental health websites are also sharing sensitive personal data with third parties — including the answers and results from depression tests — again without the consent required under EU law.

This analysis looked at 136 European mental health web pages, finding 97.8% of them had third-party elements such as cookies, and 76.04% had third-party trackers for marketing purposes.12

What’s more, some websites shared data with third parties in hypertext transfer protocol (HTTP) rather than hypertext transfer protocol secure (HTTPS), used for secure communications over a computer network, which means the data, which contains unique identifiers, is susceptible to interception by hackers as well.13

Two sites, the NHS mood test and depression.org.nz, also used “session replay scripts,” which “can be used to log (and then play back) everything users typed or clicked on a website.”14 In other words, they would be able to tell whether you altered your test answers and/or searches.

Opt Out Option Is Still Not User Friendly

On a side note, Financial Times brings up a popup about its cookies and gives you the option to opt out of advertising based on your use of the Financial Times site. It also gives you the option to opt out of advertising based on your online activity, which is tracked by third party cookies linked to its site.

Looking at their Manage Cookies page,15 you can get a feel for just how extensive that online activity tracking is. There are dozens of third party trackers, and you’d have to go to each one to opt out! Who has time for all of that — especially since you have to do that for every browser you use, and for every site you visit? While having the option to opt out is a step in the right direction, it’s still an unmanageable system for most users.

As noted in the Privacy International report, “The burden should be on websites to protect user privacy by design and by default.”16 In the meantime, Privacy International offers the following recommendations “to anybody looking for help and support online”:17

  • Block third party cookies on your browsers
  • Use ad blockers and antitracking add-ons
  • Before completing an online test for a mental health condition, make sure the website is trustworthy. If in doubt, seek out information from public health bodies, medical professionals or qualified charities
  • In the U.K., Samaritans can be contacted on 116 123. In Australia, the crisis support service Lifeline is on 13 11 14. In the U.S., the suicide prevention lifeline is 1-800-273-8255. Other international helplines can be found at www.befrienders.org

Health Publishers Make Millions Off Online Searches

A recent AdBeat blog18 reviews just how all of this personal information is being used to generate millions in advertising revenue. Health websites obviously attract drug ads and sponsorships, and the pharmaceutical industry has deep pockets. In his blog, Bradley Nickel points out that:

“According to the Pew Research Center, 72% of people looked online for health information within the past year … WebMD reports an average of 206 million unique users per month, and over 400 billion page views per quarter.”

There are many ways in which all these page views can be turned into revenue. Nickel reviews the monetization strategies of five health publishers: LifeScript (a women’s health publisher), WebMD, HealthCentral, eMedTV and Healthline.

Estimates suggest WebMD made $10,977,280 in advertising revenue in six months, which means its total revenue for a single year could reach as high as $22 million. A majority of this revenue comes from direct buys.

A majority of ads on WebMD are for over-the-counter drugs, which are strategically placed on related pages, meaning if you’re searching for “common cold,” you’re likely to find ads for Nyquil, Tylenol Cold & Flu, Sudafed and similar cold and flu remedies.

Healthline Is All About Matching Users to Its Advertisers

Healthline is not too far behind WebMD with an estimated six-month ad revenue of $7,025,644, with a majority of it coming from direct buys. Unlike WebMD, Healthline’s top ads are prescription drugs. As noted by Nickel:19

“Direct Buys are the name of the game when it comes to monetizing traffic from sites related to health and wellness. A prescription drug company is a publisher’s dream.

Drug companies tend to have lots of cash to spend on advertising, a desire for large amounts of traffic, and getting permission to advertise prescription drugs on Google and other ad networks can be difficult.”

In all, Healthline Media made more than $100 million in 2018. A big part of its rapidly growing success is its focus on content, AdExchanger contends.20 Before 2011, Healthline licensed content and didn’t create any of its own — a decision that threatened to bankrupt the company. According to AdExchanger:21

“Today, Healthline employs 150 clinicians to review articles and cites academic research in stories. When Google revamped its search algorithm in fall 2018, with the ‘Medic’ update,22 which changed the rankings for health sites based on the quality of their content, Healthline saw even more organic traffic sent its way.”

In an interview with AdExchanger, Healthline Media CEO David Kopp explains how user data are used to satisfy the needs of its direct advertisers. “Several hundred data points” are monitored internally, Kopp says, and for 32% of the company’s advertisers, the first or second metric is audience quality or cost per qualified user.

“For pharma, it might be someone diagnosed with a disease, and for a hospital, it might be someone looking for an ER in a geographic area,” he says. To allow advertisers to reach their target audience, Healthline places their advertisements “on content that is relevant to the product.”

This, clearly, is the most effective way to sell a product. Talk about its benefits in an article, and have ads for that very product in the side bar. This, by the way, is illegal for nutritional supplements. I cannot tell you about how to use berberine to treat your Type 2 diabetes and link to a berberine product in my online store, for example. Yet, this is precisely what they’re doing with drugs.

Healthline also offers condition-specific apps, where users can connect with others who have the same medical condition as they. This, undoubtedly, gives advertisers a first-row seat with a captive audience — a very select group of people they can be sure are looking for specific remedies and products.

Boycott Google to Protect Your Privacy

In addition to all of this data mining, Google is also actively manipulating search results and making decisions about what you’re allowed to see and what you’re not based on its own and third party interests — a topic detailed in a November 15, 2019, Wall Street Journal investigation.23

The dangers of censorship, data mining of sensitive information and tracking should be self-evident. It won’t take long before most people think and believe whatever Google and its advertisers want people to think and believe, and spend their money accordingly.

This data mining could also end up being used in some sort of “social credit” system, similar to what already exists in China. Imagine not being allowed to purchase airplane tickets because you’re suspected of having a cold, based on your online searches and purchases, for example.

Or, think what would happen if you are being denied a gym membership because you’ve been logged as having an STD. In truth, personal data can be misused in any number of unimaginable and discriminatory ways.

Now, more than ever, we must work together to share health information with others by word of mouth, by text and email. We have built in simple sharing tools at the top of each article so you can easily email or text interesting articles to your friends and family.

My information is here because all of you support and share it, and we can do this without Big Tech’s support. It’s time to boycott and share! Here are a few other suggestions:

Become a subscriber to my newsletter and encourage your friends and family to do the same. This is the easiest and safest way to make sure you’ll stay up to date on important health and environmental issues.

If you have any friends or relatives who are seriously interested in their health, please share important articles with them and encourage them to subscribe to our newsletter.

Consider dumping any Android phone the next time you get a phone. Android is a Google operating system and will seek to gather as much data as they can about you for their benefit. iPhone, while not perfect, appears to have better privacy protections.

Use the internal Mercola.com search engine when searching for articles on my site.

Boycott Google by avoiding any and all Google products:

  • Stop using Google search engines. Alternatives include DuckDuckGo24 and Qwant25
  • Uninstall Google Chrome and use Brave or Opera browser instead, available for all computers and mobile devices.26 From a security perspective, Opera is far superior to Chrome and offers a free VPN service (virtual private network) to further preserve your privacy
  • If you have a Gmail account, try a non-Google email service such as ProtonMail,27 an encrypted email service based in Switzerland
  • Stop using Google docs. Digital Trends has published an article suggesting a number of alternatives28
  • If you’re a high school student, do not convert the Google accounts you created as a student into personal accounts

Sign the “Don’t be evil” petition created by Citizens Against Monopoly