Medical Web sites say they protect the privacy of visitors, but they often share the information they collect with other companies, a new study has found.
That means a visitor seeking information on, say, erectile dysfunction might unknowingly be alerting online marketers to his condition. And while Bob Dole might feel comfortable talking about such things on national television, most consumers would not.
"We found that almost across the board, the privacy practices did not match the policies," said Janlori Goldman of the Health Privacy Project at Georgetown University, who conducted the research that went into the report released Tuesday in Washington at the e-Health Ethics Summit of major online health information providers.
The 21 leading health sites reviewed appear to understand the depth of consumer concerns about privacy, Goldman said, noting that the sites sport privacy policies prominently.
But the companies aren't following through on those privacy pledges, Goldman said. "They're giving people a false sense of confidence and a false sense of trust."
Consumers are turning to the Internet for medical information in record numbers, but a survey released just last week shows that medical privacy online remains a strong concern.
The poll, conducted for the California HealthCare Foundation, found that 75 percent of people are concerned about health Web sites passing along their personal data without permission and that 17 percent said they don't go online for such information because of privacy concerns.
The report compared consumer health care sites on the Internet to gawky adolescents _ with plenty of abilities but little self-control: "They have not matured enough to guarantee the quality of the information, protect consumers from product fraud or inappropriate prescribing, or guarantee the privacy of individuals' information."
The report found that increasingly common mechanisms known as "cookies" (bits of code placed on the user's computer that help a site identify him on return visits), banner advertisements and other technologies for gathering information on visitors make Web surfing a very public experience _ even when the user believes he is acting anonymously. Some information from cookies and banner advertisements is collected without informing the visitor that it is happening. A number of Web sites even gathered data that can be used to personally identify visitors and passed it along to third parties "in direct violation of stated privacy policies," the group found.
"There's much more info being asked of people at these sites than just about any other sites," said Richard Smith, a computer security consultant who was a technical adviser for the report.
Of particular concern were relationships with firms such as DoubleClick Inc., which collects information through online "banner ads" and has gathered more than 100-million files on visitors. Eight of the 21 sites reviewed had business relationships with DoubleClick; three more had similar deals with other firms.
By analyzing the underlying code in health-care Web sites, Smith said, he found that the information gathered in a survey or health self-evaluations was being transferred to another site without telling the consumer.
Marc E. Boulding, general counsel to Medscape.com, said the study should alert the industry to a need for change. But Boulding added that some use of medical information, with consumer consent and proper safeguards, will be necessary if the sites are going to be effective.