Millions of people rely on Web sites like WebMD and Health.com for information about depression, sexually transmitted diseases, cancer and other sensitive personal health issues. But it can be difficult for consumers to understand how health sites may capture, analyze and share information about user searches and other activities â€" even the small minority of people who manage to slog all the way through the privacy policies.
In an effort to increase industry transparency, Lisa Madigan, the attorney general of Illinois, has opened an inquiry into the data-mining practices of some popular health sites.
On Tuesday, she sent letters to officials at eight sites asking for detailed information about their companies’ data collection, data storage and data sharing practices. The sites included: about.com; drugs.com; health.com; mayoclinic.com; menshealth.com; mercola.com; WebMd.com; and weightwatchers.com.
In the letters to the sites’ executives, Ms. Madigan said she was concerned about the potential dissemination of information related to people’s private health concerns.
“Health-related information, which would be protected from disclosure when said in a doctor’s office, can be captured, shared, and sold when entered into a Web site,†she wrote. “These concerns are likely overlooked by consumers, as the disclosures about capturing and sharing their information are often buried in privacy policies not found on websites’ main pages.â€
WebMD’s privacy policy, for example, says that the site does not make a user’s personal information - like a name or address â€" available to third parties for marketing purposes.
But third parties, the privacy policy says, may use non-personal data to target WebMD users with ads related to their interests. The policy added that WebMD may combine personal and nonpersonal information about users on the site, or may collate that data with information gathered from external sources.
Risa Fisher, a spokeswoman for WebMD, said that the company had just received Ms. Madigan’s letter of inquiry and planned to provide the information she requested about its user data practices.
“Privacy is very important to WebMD and our policies are designed to fully protect the personal health information of our users,†Ms. Fisher said.
The Illinois inquiry comes after the publication a few days ago of a research letter in a medical journal reporting that some popular health portals leaked information about users’ health searches to third parties, like social networks or ad networks, operating on their Web sites.
For his research, Marco D. Huesch, a health care policy researcher at the Sol Price School of Public Policy at University of Southern California searched for content related to depression, herpes and cancer on 20 popular health-related Web sites.
In the letter about his study, published in JAMA Internal Medicine, he said that 13 of those sites used third-party tracking elements like cookies or social media plug-ins. Seven of the sites, he wrote, leaked his health searches to third-party trackers.
Although Mr. Huesch wrote that he could not determine whether the third parties misused the information, he found the leakage of the health searches worrisome in itself.
“The ramifications could span embarrassment, discrimination in the labor market,†Mr. Huesch wrote, “or the deliberate decision by marketers not to offer or advertise particular goods and services to an individual, based solely on the companies’ privately gathered knowledge.â€
The online advertising industry is keenly aware of such concerns.
This year, the Network Advertising Initiative, an industry self-regulatory association for third-party digital ad companies, revised its code of conduct to require that its members obtain user permission before collecting information about certain specific health conditions.
The conditions that would require user permission include “all types of cancer, mental health related conditions, and sexually transmitted diseases,†the revised code said, but not acne, high blood pressure, heartburn, cold and flu, or cholesterol management.
The self-regulatory group has nearly 100 members, according to its site. The updated version of code of conduct is scheduled to take effect next year.
