Pin It

HealthCare.gov is sharing your private personal health data with over a dozen online marketing companies. These companies provide tools that allow HealthCare.gov to track, analyze and record anyone who visits the site.

But, despite its promise that “no personally identifiable information is collected by these tools,” the companies receiving the information can easily identify you – if they want to – by cross referencing the information they get from HealthCare.gov with information they have on you from other web sites.

These companies, like Google and Yahoo, can potentially cross reference what you do on HealthCare.gov data with:

  • Your internet searches
  • Your webmail accounts
  • Your mobile devices

With digital threats from hackers, identity thieves, and governmental spy agencies on the rise, Americans are starting to worry about people playing fast and loose with their online data. A recent Pew Research report showed:

  • 91% of adults in the survey “agree” or “strongly agree” that consumers have lost control over how personal information is collected and used by companies.
  • 80% of those who use social networking sites say they are concerned about third parties like advertisers or businesses accessing the data they share on these sites.
  • 70% of social networking site users say that they are at least somewhat concerned about the government accessing some of the information they share on social networking sites without their knowledge.

President Obama addressed some of these concerns in his recent State of the Union address by proposing measures designed to protect “American companies, consumers, and infrastructure from cyber threats, while safeguarding privacy and civil liberties.”

One of these measures, the Personal Data Notification & Protection Act:

…strengthens the obligations companies have to notify customers when their personal information has been exposed, including establishing a 30-day notification requirement from the discovery of a breach

But what if there was no breach? What if a site revealed personal information to third parties for free. And what if that site was government run?

That’s exactly what is happening at the nation’s main health exchange website, HealthCare.gov.

All Your Data Are Belong to Us

When people go to HealthCare.gov to shop for government mandated health insurance, most are not aware that their personal data – including their income, zip code, pregnancy status, and more – is sent to over a dozen third party marketing companies for analysis.

Researchers from the Electronic Frontier Foundation found that:

…healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource.

A separate analysis found that HealthCare.gov had over 50 different third party connections. The companies receiving this data ranged from smaller analytics firms to industry giants such as Google, Twitter and Yahoo:

This came as a surprise to many because, while you are using it, Healthcare.gov does not appear to be sharing information with anyone. But that’s because the information you are entering is being sent to other sites behind the scenes. It works like this:

  • Third party companies provide small pieces of code to Healthcare.gov called trackers.
  • These trackers are added to the Healthcare.gov web pages.
  • Because the code is inside the page, and not necessarily on the page, most trackers are invisible.
  • When you load a web page with a tracker in it, the tracker collects information about you and sends it back to its parent company.
  • The company then stores it in a database, analyzes it, and provides the information to the government

When reports of this first surfaced, the government did not deny that they were sharing personal information. Instead, they tried to minimize the impact. HHS spokesman Aaron Albright said:

There is no evidence that consumer information has been misused by any third party. Unlike many retail sites similar to HealthCare.gov, we do not and will not sell a visitor’s information.

However, this statement is problematic for two reasons. First, the issue is not that third party companies misused information. It is that they received it at all. That it was sent secretly. And that it was done without user knowledge or permission. Second, it’s pointless to say that HealthCare.gov does not sell visitor information when it’s obvious that they give it away for free.

Personally (Re)Identifiable Information

The idea of the government sending your personal health information all over the internet bothers a lot of people. To calm them down, the government has tried to explain that the information they are sending out is not personally identifiable.  Their argument is, “Sure, we are sending people information about you. But they don’t know it’s YOU.”

Is that true? Not really.

By itself, sharing your age or your smoking status does not reveal your identity. But what if someone says that a 46 year old female smoker making $36,000/year lives in zip code 90210? That starts to narrow it down.

In fact, once you are able to correlate a number of data points, it becomes easy to identify individuals:

Latanya Sweeney, a computer science professor, conducted a study in 1990 using census data, and found that zip code, birth date, and sex could be combined to uniquely identify 87% of the United States population.

HealthCare.gov already transmits zip code and sex. But instead of sending birthday data, it sends two additional pieces of information that are potentially even better:

  • Your IP address
  • Tracking Cookies

Both the Massachussetts and California have already ruled that Zip Codes are personal information. And in the EU, IP addresses are considered personal information.

IP addresses are particularly concerning because they identify the exact computer you are using to connect to the internet.

Even though most of the tracking companies involved in HealthCare.gov say they have taken steps to protect user privacy, including anonymizing IP addresses, in order to conduct data analysis, they still retain unique identifiers that can be used to reveal your true identity.

So, even if they say the don’t identify who you are, they can if they want to.

Tracking cookies can be even more invasive. Instead of identifying the computer you are using, they track the browser you are using. But they can track much more than that:

…some cookies are designed by programmers to send specific user information, which can include names and addresses, out to the tracker host. If the host recognizes a cookie on the browser whenever an ad or page is loaded, it can send the record of your visit to the logs and more precisely target you with ads geared to your next visit. Some ads will even address you by name and mention your location.

Tracking is just the start.

HealthCare.gov can also record your visit using ClickTale’s Visitor Recording service that lets them:

See absolutely everything visitors do on your webpage. Watch recordings of your visitors’ full browsing sessions to discover exactly how they use your site. It’s as if you’re looking over their shoulder!

We capture every mouse move, click, scroll and keystroke, by using a tiny piece of JavaScript copied into your website. The whole process is completely transparent to the end user, and has no noticeable effect on your site performance.

And this recording is done in secret, without the user’s knowledge. According to ClickTale’s FAQ:

Do my visitors know they are being recorded?
The recording process itself is completely transparent to the end user. However, all ClickTale subscribers should place a disclaimer in their Privacy Policy letting their visitors know that they may be recorded.

HealthCare.gov appears to have no such disclaimer.

Protecting Your Own Privacy

So, it appears that (GASP) you might not want to trust the government to protect your privacy.

So who can you trust?

Yourself.

There are a number of programs out there that you can use to protect yourself from third party data collection. They include:

Using one or more of these programs will help stop companies from tracking when you visit sites like HealthCare.gov or the millions of other websites that use these companies to track everything you do online.

7 Responses

  1. donna shelton

    Boy i wish i had a boat load of money….i would sure give it to you. Thats where they have us though, too poor to fight them proper. All we can afford to do is shout at the wind. God bless.

    Reply
  2. Madeline Brashear

    If right wingers are so desperate to get rid of Obamacare, why don’t they offer the American people an alternative other than leaving us with nothing to cover our health care? Where’s their plan for us? We have sense enough to know that no health insurance, no medical care and I believe that’s the same thing as the infamous death panels the republicans hyped up back in 2008-10 only they’re the ones who’s pushing them.

    Reply
  3. Jordan c.

    Keep description up to 250 characters and avoid using all capital letters.
    Use 60 characters of fewer because search engines typically will not display any
    more content than that. ) many computer users prefer
    a search engine that doesn’t collect that personal data
    about them.

    Reply
  4. topodin.pro

    Hiya very cool web site!! Guy .. Beautiful ..
    Superb .. I will bookmark your web site and take the feeds also?

    I’m happy to search out numerous helpful information right here in the
    post, we need work out more strategies in this regard, thank you for sharing.

    . . . . .

    Reply

Leave a Reply

Your email address will not be published.