Privacy, Application security, Data Security

Nearly all abortion clinic webpages using third-party trackers transfer user data

Third-party web trackers and subsequent data sharing were found on nearly all abortion clinic webpages, adding another risk to  patient privacy amid the ongoing abortion ruling fallout. (Phot credit: “EMT/Nursing Pediatric Emergency Simulation – April 2013 20” by COD Newsroom is licensed under CC BY 2.0.)
Third-party web trackers and subsequent data sharing were found on nearly all abortion clinic webpages, adding another risk to patients and their privacy amid the ongoing abortion ruling fallout. (Photo credit: "EMT/Nursing Pediatric Emergency Simulation - April 2013 20" by COD Newsroom is licensed under CC BY 2.0.)

An analysis of webpages tied to 414 abortion clinics by University of Pennsylvania and Carnegie Mellon University researchers found third-party trackers on most of the sites and nearly all of which (99.1%) transfer user data, according to a study published in JAMA.

Of the 223 accessible web pages, 221 included a third-party data transfer and 154 included a third-party cookie. The researchers explained that “across all web pages, we identified data transfers to 290 unique third-party domains owned by 66 unique parent entities.”

The transferred data included the users’ IP address and the name of the visited webpage, researchers explained.

Perhaps more alarming is where the transferred data is going: 97.3% of the web pages reported data to Alphabet (Google), 38.1% reported to Meta (Facebook), 32.7% to Adobe Systems, and 25.1% to Microsoft. And 162 webpages had at least one data transfer to a third-party domain where the parent company could not be identified.

Thus, “third-party tracking code on abortion clinic webpages may present a privacy risk.”

Third-party tracking another element in privacy concerns post-Roe

The results of the study add another element of concern for privacy and cybersecurity risks face by women amid the continued contentious abortion fight since the Supreme Court’s ruling in Dobbs v. Jackson overturned Roe v. Wade. Stakeholders have raised alarms over geolocation tracking, the sale of data to third-party brokers, and Facebook Pixel’s alleged data scraping.

The researchers behind the JAMA analysis assessed third-party tracking use on abortion clinics sites by extracting the URL of each National Abortion Federation member facility in May. One hundred and forty-three of the sites were tied to Planned Parenthood, 40 were virtual, 18 were hospital-affiliated, and the remaining were freestanding clinics.

Using a third-party detection tool, the researchers recorded data transfers to third-party domains. The presence of third-party cookies, the data stored on users’ computers able to facilitate tracking.

This code is commonly used by website maintainers to add functionality like ad campaign monitoring or social media links. But the same code can also enable advertisers, social media companies, and others “to record when someone visits an abortion clinic’s website and how they navigate that site.” 

“Routinely linked with other data, this browsing history could contribute to evidence that someone has sought an abortion,” according to researchers. “The number of tracking entities has implications for user privacy because each could sell or share browsing data with law enforcement or civil litigants.”

In states that have criminalized abortion or empowered citizens to report others for suspected abortions, the use of these cookies on abortion sites could seriously endanger women. For example, law enforcement could use patients’ digital footprints, such as smartphone app data and internet search histories, to identify and charge individuals suspected of having abortions.

The study was limited due to some of the clinics listed by the National Abortion Federation included inacessible URLs, the researchers wrote. But it’s unlikely tracking would differ on these sites. And after the high court’s ruling, some clinics may also have closed and/or taken down the websites.

In response to these findings and the clear risk, the researchers urged abortion clinics to audit their websites to find and remove these third-party trackers. As a reminder, the Health Insurance Portability and Accountability Act does not protect browsing data.

Providers should warn patients seeking an abortion of HIPAA limitations, while encouraging the installation of tracking-blocking browser extensions and adjusting privacy settings on browsers and smartphones.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.