Healthcare.gov website sends personal data to tracking websites

[Exterous]

The Associated Press reports that healthcare.gov–the flagship site of the Affordable Care Act, where millions of Americans have signed up to receive health care–is quietly sending personal health information to a number of third party websites. The information being sent includes one's zip code, income level, smoking status, pregnancy status and more.

Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker.1 Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman's family that she was pregnant before she even told them.

It's especially troubling that the U.S. government is sending personal information to commercial companies on a website that's touted as the place for people to obtain health care coverage. Even more troubling is the potential for companies like Doubleclick, Google, Twitter, Yahoo, and others to associate this data with a person's actual identity. Google, thanks to real name policies, certainly has information uniquely identifying someone using Google services. If a real identity is linked to the information received from healthcare.gov it would be a massive violation of privacy for users of the site.

https://www.eff.org/deeplinks/2015/01/healthcare.gov-sends-personal-data

Not really sure why the website would even consider sending the data to tracking sites but I guess the designers felt otherwise. I'm surprised the zipcode was even a consideration given HIPPA regulations on 'de-identifying' information and zipcode anonymising:

The Privacy Rule allows a covered entity to de-identify data by removing all 18 elements that could be used to identify the individual or the individual's relatives, employers, or household members; these elements are enumerated in the Privacy Rule. The covered entity also must have no actual knowledge that the remaining information could be used alone or in combination with other information to identify the individual who is the subject of the information. Under this method, the identifiers that must be removed are the following:
All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census:
The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
The initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people are changed to 000.

http://privacyruleandresearch.nih.gov/pr_08.asp

 

[rudeguy]

To be fair: I thought this was addressed and fixed?

Doesn't matter to me. I had to use that site when it had no security and still sold my info. Thanks Obama!

 

[Exterous]

To be fair: I thought this was addressed and fixed?

Doesn't matter to me. I had to use that site when it had no security and still sold my info. Thanks Obama!

:hmm: So it would seem whatever 'scaling back' means

Obama administration reversed itself Friday, scaling back the release of consumers’ personal information from the government’s health insurance website to private companies with a commercial interest in the data.

http://www.pressherald.com/2015/01/23/healthcare-gov-curtails-release-of-personal-information/

So only over a year of doing that until they were found out. Yay?

At least they sent out the right tax information to everyone...