Revealed: NHS websites are handing out YOUR health secrets to the likes of Google and Facebook without your consent

NHS websites are routinely handing people’s health secrets to the likes of Google and Facebook without users’ consent, an investigation has revealed.

The tech giants are harvesting the browsing habits of users and using the information to build detailed profiles for each visitor, through which they could target adverts.

The pages viewed are likely to indicate the medical conditions a patient is living with, such as cancer, gambling addiction or more intimate issues like erectile dysfunction, researchers say.

If visited on the same computer as used to access social media accounts, it would even allow ‘Big Tech’ to build up a complete picture of the user including name, age and address.

Websites track users’ browsing habits by placing cookies, or identifiers, on their computer while they surf the internet.

Under data protection laws, websites should inform users that they and third-parties are placing these files on their computer and give them the opportunity to refuse. Usually this comes in the form of a pop-up box asking them to ‘accept cookies’, something that has become increasingly familiar and frustrating to millions.

But new research by digital agency 7DOTS found most health and social care providers in the UK are breaching these regulations.

The company searched public Care Quality Commission records and interrogated the websites of more than 3,500 signed-up organisations, such as hospitals, clinics and GP surgeries.

It then checked whether these sites gave visitors the option to opt out of tracking and whether it honoured these requests.

Analysis revealed 59 per cent of the websites were not compliant with the General Data Protection Regulation (GDPR).

Even among the 219 providers that used reputable cookie consent management platforms, 63 per cent ignored opt out requests.

Researchers pointed the finger at web editors who failed to properly configure their sites, rather than anything nefarious, but still expected sensitive health issues to be treated more carefully.

Cookies from Google Analytics were found on 77 per cent of non-compliant sites. Other common vendors included Facebook, Google and YouTube.

GDPR imposes stringent rules on organisations and it is designed to ensure the responsible handling of personal data.

But 7DOTS said the ‘widespread compliance failure’ raises ‘significant concerns’ about the safeguarding of patient data.

It also leaves the website owners at risk of hefty fines, even though many will be unaware that there is an issue, it added.

Cori Crider, a director at tech-justice group Foxglove, said: ‘These kinds of mistakes are why people don’t always feel safe to share their health data for the good of the NHS.

‘The NHS badly needs to use data better, but the only way that will ever work is for all parts of the health service to stop flunking the trust test.

‘Patients want their private records private – and that means keeping the likes of Google out.’

Sam Smith, from privacy campaign group medConfidential, said: ‘It’s bad enough that providers wanted to creep on their patients [but] it’s indefensible that this is happening on CQC registered providers even when patients decline.’

The investigation found widespread variance in compliance depending on the type of service being offered.

Rehabilitation and substance abuse centres had the highest rate of non-compliance at 92 per cent, while 55 per cent of GP surgeries fell short, as did 52 per cent of hospitals.

Nick Williams, director at 7DOTS, said: ‘The results of our study reveal a worrying lack of compliance among healthcare providers.

‘This raises significant questions about the safeguarding of patient and other website visitor data.

‘This has particular implications given the sensitivities within this sector and the need for patient privacy, particularly for more vulnerable patients such as those in substance recovery centres.’

He added: ‘Many healthcare providers will be unaware they even have an issue as the website builds will have been done by external providers.

‘But providers could face fines from the Information Commissioner’s Office and risk eroding customer trust if the likes of Google and Meta use non compliant data to create ad audiences and target customers with unsolicited and inappropriate communications.’

A spokesperson for the Information Commissioner’s Office said: ‘People have the right to expect that organisations will handle their information securely and that it will only be used for the purpose they are told.

‘Organisations must provide clear and comprehensive information to users when using cookies and similar technologies, especially where sensitive personal information is involved.

‘Users must have their choices respected when they opt out of tracking or withhold their consent.’

An NHS spokesperson said: ‘NHS trusts and GP practices are responsible for their own websites, and they must follow data protection laws in relation to the use of cookies on their websites.

‘The NHS is looking into this issue and will take further action if necessary.’

Facebook and Google, which also owns YouTube, said their rules do not allow firms to target adverts at users based on their medical conditions.

But 7DOTS said the NHS and other care providers could use the information gathered by the cookies to target adverts at people who have previously visited their website.

Allowing a website owner to target someone on the basis they have previously visited their page differs from allowing any firm to pay to target people on the basis of their medical condition.

But this could still cause embarrassment or breach someone’s privacy if the adverts are seen by other people who use the same computer or mobile device.