The title of the original article is a little misleading. It's _website_ visitor tracking and it looks like it's really just advertising analytics... That's maybe bad but it's also the same as like... 98% of all other websites.
That's really pretty much everything, google knows you may think you have breast cancer -- email, gender, age, visit pages, etc. Certain sites and information classes/types are not just like the rest of 98%.
The title is totally misleading. It very much implies that hospitals are giving data about visitors to the hospital, which would be incredibly egregious.
Tracking website visitors is bad, but is something I 100% expect. If others aren't expecting this, that's a serious problem. People should absolutely be warned when it happens (or, better, laws should exist to prevent it from happening).
But web visitor tracking is not nearly as sensitive as tracking visitors to the hospitals (or any other health care provider premises) themselves.
I avoid the data leakage for sensitive things like health care by never using websites related to those things. I know that people often forget this, but at least in the US, using a website to interact with health care providers is not actually mandatory.
> I avoid the data leakage for sensitive things like health care by never using websites related to those things. I know that people often forget this, but at least in the US, using a website to interact with health care providers is not actually mandatory.
It is not mandatory but is made extremely onerous. I can get on the web site, authenticate while tracked, enter my request, or I can call an automated maze, get repeatedly dropped, talked to a ChatGPT knock-off, get dropped again, and maybe I get a human to answer my request. Then, I get an email asking if I am satisified with the service.
Interesting. I have to admit, I've never had a problem talking to doctor's offices or the hospitals in my area by phone. No onerous phone trees (just a simple initial menu), no voice robots, and usually only a short wait to talk to a human.
I need to stop complaining about my hospital. Apparently, this is one area where they're above the grade. But even if my phone experience was like yours, I'd still use the phone instead of the web site due to privacy concerns.
In the end, as with all privacy/security issues, there's an inherent tradeoff between convenience and security. Everyone has a different place on that spectrum where they're most comfortable. But at least we can choose how much of a tradeoff we're willing to engage in.
About 98% of hospitals has committed some form of medical malpractice. The major problem is when people start accepting this as acceptable behavior. There are multiple places where sharing information with advertisers should be greatly restricted, including hospital, lawyers, priests and so on. Government institutions like police emergency information centers should also avoid sharing data with advertisers, especially if that information get transported over the border.
Yes, people do bad decisions all the time. Hospitals are not perfect and mistakes happens. They should however not continue doing mistakes that harms patients.
How many of these websites remember to completely disable analytics on the sensitive logged-in portions of the site? Completely disable doesn’t mean “an intern once logged in to the analytics provider’s config page and asked them to, pretty please, not log certain pages, and no one ever re-checks that config.” The analytics script should straight-up not be present on the sensitive URLs.
(Frankly, the script should not be present at all on the sensitive origin. Ever heard of fetch or service workers or any other same-origin mechanism of collecting data?)