In the privacy of a doctor's office, a patient can ask any question and have it be covered under doctor-patient confidentiality. But what happens when patients want to search possible symptoms of a disease or ailment online?
It's common to search for treatments for a migraine or stomach pain on WebMD, or a flu strain on the Centers for Disease Control and Prevention website. But there's no way to know who else may be privy to that search information. So where do the data go when a patient presses enter?
That's what Tim Libert, a doctoral student at the University of Pennsylvania, wanted to know. He has been researching what happens with information that people search online and spoke with NPR's Robert Siegel about the privacy implications.
Interview Highlights
On what happens when someone searches a health issue
I took a list of 2,000 common disease names — I mean everything from migraines to breast cancer. I ran those through a search engine and I found about 80,000 pages that were related to those terms. I looked at those pages and I found about 90 percent of those, when you load the page on your computer, it tells hidden parties the address of the page you're looking at. In cases where that address has the name of the disease or something, these hidden parties get to find out what it is you're interested in.
On who these hidden parties are, and why they're interested
Most of the times it's advertisers — so these are your marquee names, your Googles and Facebooks. But I also found kind of further down there a fair amount of tracking going on by data brokers. So these are companies like Experian and Acxiom. And their core business model is not advertising per se, but selling information about you to whoever wants to buy it.
On what they would do with this search information
There's actually companies that sell lists of people who have different diseases or symptoms. There's been some kind of chilling cases: [There were] companies selling lists of people who had been raped or people who had AIDS. So there's a market for this stuff.
On theHealth Insurance Portability and Accountability Act of 1996 [HIPAA]and its relation to online data privacy
HIPAA's a pretty good law, but HIPAA was made long before the Web was really in everybody's home and very well before smartphones existed.
Anything that is happening on the Web today is pretty much completely unregulated. There's really no oversight and there's no real standards either. Companies aren't required to encrypt the information to keep it in a secure place. And we've also been seeing a lot lately that this is of interest to criminals, so there is additional kind of worry that not only is it not protected by HIPAA — it's not really protected at all.
The CDC pointed us to its online privacy policy, which says the data it sends to Google Analytics, for instance, are anonymized. But Libert says that's "not nearly sufficient." He says that doesn't provide the kind of protection that federal law requires for doctors' visits.
In a statement, WebMD says that it "may collect data about our users' online browsing and use that data to deliver advertisements to our users. WebMD's collection and use of data is described in greater detail in our Privacy Policy. The policy also describes how we protect user information and the choices we offer users for opting out of behavioral advertising by WebMD."
Copyright 2021 NPR. To see more, visit https://www.npr.org.