Purpose With digitalization, using essential digital services such as online services has become increasingly common. These services process sensitive health related data, such as customers' prescription medicine orders, which makes ensuring stringent data privacy crucial. The current study examines third parties such as analytics services on Finnish pharmacy websites and investigates the nature and contents of data leaks on these websites.

Methods We perform an extensive network traffic analysis to reveal data leaks among 163 Finnish online pharmacies. We also study a set of privacy policies of these online pharmacies, and provide a legal analysis regarding the interpretation of the concept of data concerning health in the context of online pharmacies.

Results Our findings reveal serious data leaks among Finnish online pharmacies. We found 145 pharmacies had third-party services on their websites and only 18 did not. Out of all 163 online pharmacies, 57 (35.0 %) leaked a specific prescription medicine name connected with identifying personal data on the customer. We argue that the information concerning purchases on the prescription medicines should be interpreted as data concerning health to ensure efficient protection of customers' right to data protection and privacy.

Conclusions We hope that these concerning results will serve as a wake-up call for the developers and maintainers of online pharmacies and other web services processing sensitive data. Any third-party services incorporated into websites processing sensitive personal data should be closely inspected in terms of data leaks, or preferably not used at all.