Until October 22, the federal website AIDS.gov allegedly did not protect all the data of visitors using search boxes to locate HIV-related services, The Washington Post reports. A similar site run by the Centers for Disease Control and Prevention allegedly only started routinely encrypting this user data earlier this November.

Automatic encryption, which hides sensitive user information, has been widely available for many years for online banking and shopping services.

Until recent security updates, the sites supposedly risked exposing user identities and data. For example, an employer could have monitored whether workers were seeking HIV testing or mental health care. In some cases, smartphone apps leaked latitude and longitude info, which allowed hackers to discover a user’s location.

Privacy advocates said they were happy the sites now routinely encrypt this information, but they remain critical that the move took so long.

In response to the Post article, AIDS.gov posted the following: “AIDS.gov does not collect any personally identifiable information (PII) from users coming to the AIDS.gov website or the HIV Testing Sites and Care Services Locator. The U.S. Department of Health and Human Services requires encryption for the transmission of health-related information when it contains PII. Even though AIDS.gov does not collect (and has never collected) PII, the AIDS.gov Locator is encrypted.”