People looking up information online about sensitive medical issues including abortion and sexual infections have been tracked by private companies because the HSE includes what's described as a privacy 'Trojan horse' in its own webpages.
A major review by Danish researchers found almost all pages on the HSE website were being monitored by advertising industry trackers. These trackers, which were fully permitted by the HSE, meant dozens of technology firms could log users' locations, personal devices and browsing habits.
"A broad spectrum of Irish citizens' health data is being continuously and invisibly leaked to commercial actors," according to the CookieBot research.
Once collected, information can be sold via data brokers to the advertising industry where it can be used to target potentially vulnerable people based on their web-browsing habits.
In a statement last night, the HSE said it had begun removing the 'ShareThis' feature at the heart of the controversy from its website pending a review of the CookieBot research.
The HSE did not dispute the key findings, but said a new website it was developing did not include the data tracking feature.
It insisted some highly sensitive information had already been moved to these new pages.
"Our new site sections currently include mental health, child health, unplanned pregnancy and abortion services, and medical cards and other schemes and benefits," officials claimed.
However, a disclaimer still on the website last night said the web pages used cookies - activity tracking technology - from DoubleClick, a Google-owned company, and that they are used for serving targeted advertisements.
The HSE said it did not benefit financially from having the controversial software.
A key risk identified by the Danish researchers was the HSE's inclusion of apparently innocuous 'ShareThis' buttons on almost all of its webpages, to allow readers to send information to other users.
However, the technology running those buttons actually provides advertising companies with an entryway to the complex software running behind the Government website.
These third parties and even fourth parties can then log users' locations, devices and browsing habits, according to the CookieBot research.
The research, first reported by the 'Financial Times', found similar problems on many government websites across the EU.
Most Irish Government websites performed relatively well, but the HSE was an exception, ranking worst among EU health services. A total of 73pc of so-called landing pages on the HSE website - where web users arrive initially to seek information - contained the ad trackers. Up to 23 outside companies were monitoring single HSE pages.
If the HSE website is in contravention of tough European data privacy rules, known as the General Data Protection Regulation (GDPR), it could face fines of up to €1m.