Skip to Main Content

Since the coronavirus pandemic first emerged in the United States, millions of Americans have gone online to search for information related to the virus or Covid-19, the disease it causes. Most had no idea they were revealing information about themselves — not just to the government agencies, hospital systems, or media outlets whose websites they visited, but to third-party companies that surreptitiously track their activity and invade their online privacy.

Suppose you want to get tested for Covid-19. A quick web search might lead you to the Department of Health and Human Services’ testing information page. It offers a helpful state-by-state directory of community-based testing sites. What you don’t see is that the page includes hidden tracking code from 17 different third-party domains owned by companies including Google, Oracle, and Twitter.

As you scroll through the HHS webpage, these companies log information about your visit and then use it to send you targeted advertisements. They may also sell it to other companies.


That for-profit businesses are tracking your visit to a government-operated Covid-19 webpage may be shocking, but this loss of online privacy isn’t unusual.

With several colleagues, we used Google Trends data to identify 538 unique webpages likely to be visited by people seeking information about Covid-19. These included pages on the websites of government agencies, academic medical centers, major media outlets, and popular health sites. As we reported recently in the Journal of the American Medical Association, all but three of the pages we analyzed included third-party code.


Commercial (.com) webpages were the worst offenders. WebMD’s coronavirus landing page, for example, contains 103 cookies set by 58 third-party domains. STAT’s is even higher: 137 cookies set by 75 third-party domains. But perhaps more troubling is the fact that tracking is inescapable even on government, academic, and nonprofit webpages, making it virtually impossible to access information about Covid-19 anywhere on the web without trackers looking over your shoulder.

HHS third-party code online privacy
Third-party code on a Covid-19 testing page published by the U.S. Department of Health and Human Services
WebMD third-party code online privacy
Third-party code on WebMD’s coronavirus landing page

While Covid-related web tracking has not received anywhere near the same degree of public scrutiny as location-based contact tracing apps, it also poses serious privacy risks.

Like data from contact tracing apps, the webpages you visit can reveal sensitive information about your health, including your Covid-19 status. If you suddenly begin searching for Covid testing sites and, a few days later, begin searching for information about the long-term effects of the virus, third parties may infer, rightly or wrongly, that you’ve been infected. Yet your browsing data isn’t treated as protected health information. It’s treated as marketing data, freely bought and sold by data brokers, advertisers, and social media companies.

It’s too soon to know the full consequences of Covid-19-related web tracking and breach of online privacy, but there is reason to be concerned. In the short term, marketers can use this information to target sham “Covid cures” to those who might have the infection. In the long term, tracking data could be used to profile those who have had Covid-19. The emerging “long-hauler” phenomenon of chronic Covid-19 may lead to higher long-term health care costs and lower worker productivity for those who have been infected. Those affected might never see ads from potential employers targeted to avoid those who have been infected with Covid.

Similar to the U.S.’s response to the virus, the country is far behind the rest of the world when it comes to protecting citizens online. Attempts by Congress to pass comprehensive privacy legislation have been stalled for years. While individual states like California are attempting to fill the gap with their own laws, Covid-19 has underscored the fact that a national law to protect Americans’ privacy is still sorely needed. In the meantime, we should all demand more from the institutions that provide us with news and information about Covid-19.

Leaders of federal and state government agencies should order privacy audits of their public-facing websites, especially those devoted to Covid-19 or health. Heads of academic medical centers and other nonprofit health care organizations should do the same. These institutions have a special obligation to provide the public with easy access to reliable information about Covid-19 and shouldn’t make you pay for that information with your privacy.

It’s likely that many leaders of these institutions never consciously decided to enable third-party tracking on their websites. They simply overlooked the fact that “free” tools used to monitor website traffic transmit user data to third parties. As part of online privacy audits, these tools should be identified and permanently removed from websites.

Commercial websites that provide health information may rely on advertising revenue, but they can do so in ways that are more protective of user privacy. They should consider moving to non-targeted ads which are proving profitable in Europe, where health-based ad targeting is illegal.

Internet users can take steps to protect their privacy online by using a privacy-focused browser such as Safari, Brave, or Firefox, which limit exposure to tracking. Browser add-ons like Privacy Badger, Ghostery, and others are also available. Yet the only way to truly prevent online health privacy risks is by adopting and enforcing policies that forbid tracking on health-related websites.

Bringing the pandemic under control will continue requiring us to make many difficult sacrifices. Our online privacy doesn’t have to be one of them.

Matthew S. McCoy is a bioethicist, senior fellow at the Leonard Davis Institute of Health Economics, and assistant professor of medical ethics at the University of Pennsylvania’s Perelman School of Medicine. Timothy Libert is a computer scientist and faculty member in the school of computer science at Carnegie Mellon University. Ari B. Friedman is a heath economist, emergency physician, senior fellow at the Leonard Davis Institute of Health Economics, and assistant professor at the University of Pennsylvania’s Perelman School of Medicine.