An analysis of over 80,000 such web pages shows that nine out of ten visits result in personal health information beingl eaked to third parties, including online advertisers and data brokers.
This puts users at risk because their health interests may be publicly identified along with their names, researchers said.
This could happen because criminals get hold of the information, it is accidentally leaked, or data brokers collect and sell the information, they said.
Also, many online marketers use algorithmic tools which automatically cluster people into groups with names like "target" and "waste." Those in the "target" category are extended favourable discounts at retailers and advance notice of sales.
Given that 62 percent of bankruptcies are the result of medical expenses, it is possible anyone visiting medical websites may be grouped into the "waste" category and denied favourable offers.
Given that data brokers are free to sell any information they collect regarding visits to health websites, those visiting such sites are potentially at risk of being discriminated against by potential employers, retailers, or anybody else with the money to buy the data.
These findings are reported in an article authored by Timothy Libert, a doctoral student at the University of Pennsylvania's Annenberg School for Communication, that will appear in the journal Communication of the ACM.

Libert said a software tool can investigate Hypertext Transfer Protocol (HTTP) requests initiated to third party advertisers and data brokers.
He found that 91 percent of health-related web pages initiate HTTP requests to third-parties. Seventy percent of these requests include information about specific symptoms, treatment, or diseases (AIDS, Cancer, etc).
The vast majority of these requests go to a handful of online advertisers: Google collects user information from 78 percent of pages, comScore 38 percent, and Facebook 31 percent. Two data brokers, Experian and Acxiom, were also found on thousands of pages.
"Google offers a number of services which collect detailed personal information such as a user's persona email (Gmail), work email (Apps for Business), and physical location (Google Maps)," Libert said.
"For those who use Google's social media offering, Google+, a real name is forcefully encouraged. By combining the many types of information held by Google services, it would be fairly trivial for the company to match real identities to "anonymous" web browsing data," Libert added.