WebMD’s website has numerous features that transmit health information: both generic information about specific health conditions and symptoms, and personal health information linked with a user account that has identifying user details.
Anytime someone is accessing or transmitting medical content online – whether generic or linked with their user account – there’s no question that the information should be secure and encrypted with HTTPS to prevent others intercepting a network connection (e.g. on a public wi-fi network at a café or airport, or your employer) from discovering your medical symptoms, conditions, and medications.
Unfortunately, WebMD does not use HTTPS most anywhere on its site except when a user actually signs up or logs into the site. And once the user is logged in, the site sends them right back to unencrypted HTTP.
Even though a user may sign up using a pseudonymous username, they are still prompted for their email address, first name, last name, a profile photo, and ZIP Code, all of which can be personally identifying to others.
Writing a post on WebMD’s condition-specific forums? Well, anyone monitoring or intercepting network traffic now knows that you have the condition, along with anything you write or have written in the past:
Entering an HIV medication in WebMD’s medication tracker? Well, anyone monitoring the network now knows that you’re HIV Positive:
As mentioned, WebMD does use HTTPS (TLS/SSL) to encrypt the sign up, authentication (login), and account management pages. However, if a site allows a user to continue onto unencrypted HTTP pages after authenticating as WebMD does, their work is for naught: a user’s session data sent over HTTP can be easily be hijacked and someone across a café or airport could now continue using WebMD’s site as you, and see anything that you could see.
Even the more generic portions of WebMD’s site, like informational pages about specific conditions or the WebMD Symptom Checker use insecure HTTP. Although those are not tied to a specific user account unless logged in, it’s still insecurely transmitting information about your specific medical symptoms and conditions, and that’s not okay.
This HTTP Shame was submitted by John, who writes in below to share his email to WebMD, and their oh-so-typical we-take-your-privacy-seriously message, which is affirmatively and provably false.
As seen in WebMD’s response, they encourage users not to post identifying information, but fail to think about users that – as said previously – might be using WebMD on a public network at a café or airport, or the case where an employer may be monitoring employee internet traffic. Workplace medical discrimination does happen, and WebMD is in the wrong here.
WebMD should switch to using entirely HTTPS across their entire site with long-duration HSTS and session cookies set with the ‘Secure’ flag to ensure that all data in transit is encrypted, authenticated user sessions only happen over HTTPS, and that users are on the authentic WebMD site.
John’s comment to WebMD Customer Care Team:
WebMD asks me (via e.g. the Symptom Checker) to transmit private health information over the internet. I’m comfortable with sharing this information with WebMD, but not with unrelated third parties such as my internet service provider or strangers connected to the same wireless network.
Most sites in this situation offer access via a secure connection (HTTPS) in order to prevent third parties from viewing sensitive information. Wikipedia is a good example of this:
When I try to access WebMD via a secure connection, however—
—it returns an “Error 404” or “Access Denied” error message.
How can I access WebMD privately?
Thank you,
John
Response from WebMD:
Hi John,
WebMD takes very seriously the privacy and security of our users. The information submitted by our users is used as outlined and defined in our Privacy Policy (http://www.webmd.com/about-webmd-policies/about-privacy-policy).
Further, WebMD does not rent, lease, sell or otherwise disclose Personally Identifiable Information (PII) about our users to any third party without proper notice, consent and choice.
We encourage our users not to disclose any information in a public forum (message boards, chat rooms etc.) which might allow an unauthorized third party to contact them, including email address.
Thanks for making WebMD your site of choice for all of your health and wellness information needs.
Yours in health,
WebMD Customer Care