Refereed journal article or data article (A1)

Analyzing third-party data leaks on online pharmacy websites




List of AuthorsRauti Sampsa, Carlsson Robin, Mickelsson Sini, Mäkilä Tuomas, Heino Timi, Pirjatanniemi Elina, Leppänen Ville

PublisherSPRINGER HEIDELBERG

PlaceHEIDELBERG

Publication year2024

JournalHealth and technology

Journal acronymHEALTH TECHNOL-GER

Volume number14

Start page375

End page392

Number of pages18

ISSN2190-7188

eISSN2190-7196

DOIhttp://dx.doi.org/10.1007/s12553-024-00819-w

URLhttps://link.springer.com/article/10.1007/s12553-024-00819-w

Self-archived copy’s web addresshttps://research.utu.fi/converis/portal/detail/Publication/386995639


Abstract

Purpose With digitalization, using essential digital services such as online services has become increasingly common. These services process sensitive health related data, such as customers' prescription medicine orders, which makes ensuring stringent data privacy crucial. The current study examines third parties such as analytics services on Finnish pharmacy websites and investigates the nature and contents of data leaks on these websites.

Methods We perform an extensive network traffic analysis to reveal data leaks among 163 Finnish online pharmacies. We also study a set of privacy policies of these online pharmacies, and provide a legal analysis regarding the interpretation of the concept of data concerning health in the context of online pharmacies.

Results Our findings reveal serious data leaks among Finnish online pharmacies. We found 145 pharmacies had third-party services on their websites and only 18 did not. Out of all 163 online pharmacies, 57 (35.0 %) leaked a specific prescription medicine name connected with identifying personal data on the customer. We argue that the information concerning purchases on the prescription medicines should be interpreted as data concerning health to ensure efficient protection of customers' right to data protection and privacy.

Conclusions We hope that these concerning results will serve as a wake-up call for the developers and maintainers of online pharmacies and other web services processing sensitive data. Any third-party services incorporated into websites processing sensitive personal data should be closely inspected in terms of data leaks, or preferably not used at all.


Downloadable publication

This is an electronic reprint of the original article.
This reprint may differ from the original in pagination and typographic detail. Please cite the original version.




Last updated on 2024-26-02 at 15:03