HealthCare.gov, the health insurance exchange website operated by the US government, is sending out personal health information about its users to at least 14 (and likely more) third-party websites belonging to private advertising companies.
The sent information apparently includes the users’ age, income level, ZIP code, parental status, pregnancy status and whether they are a smoker. And while no name is associated with it, the computer’s IP address can occasionally be included in the sent information, de facto allowing the companies to associate it to a person.
“There is no evidence that personal information has been misused,” AP noted. “But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.”
EEF’s staff technologist Cooper Quintin independently evaluated these claims, and came to the same conclusion.
He discovered that the following third-party domains are receiving the data in question:
“A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are,” he explained, and offered an example: “Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences.”
According to the AP, the Obama administration says that the site’s connections to data firms are aimed at improving consumers’ online experience, and that these firms are prohibited from using this data for their own purposes. Still, how can they make sure that they don’t, and do they protect this data as they should?
As we have witnessed many times over, companies – bigger ones especially – are not that worried about not following some of the rules regarding data security and user privacy. The amount they earn by using users’ information is often many times larger than the fine they are forced to pay once their practices are exposed.
“Health information is some of the most sensitive and personal information there is. People’s private medical data should not be available to third party companies without consent from the user,” says Quintin. “This practice is negligent at best, and potentially devastating for consumers. At a miminum, healthcare.gov should disable third-party trackers for any user that requests an opt out using the DNT header.”
In the meantime, users can use the EFF’s third-party tracking blocker Privacy Badger prevent their information being collected by these and other trackers, as the Do Not Track header does nothing in this case.