US

Report: HealthCare.gov Is Sharing Customer Information With Outside Companies

Chuck Ross Investigative Reporter

When an individual applies for health insurance on HealthCare.gov, some of their personal information is being shared with “dozens” of third-party advertising and web analysis companies — a development which many believe creates privacy concerns for consumers.

The finding, reported by The Associated Press, comes as President Obama pressed Congress to take up new measures to protect online identity in his State of the Union address on Tuesday.

According to the AP, when consumers apply for Obamacare coverage on the federal exchange website, their personal information — including age, income, location and other details such as their smoking and pregnancy status — is shared with outside companies.

Combined with their Internet address and their web search habits, the information could feasibly be used to create a profile of each Obamacare applicant. That information could, in turn, prove valuable to advertisers.

As the AP points out, there has been no indication yet that the companies have used the information beyond their mandate — federal officials told the news service that the companies are prohibited from using it for commercial gain.

But the data-sharing concerns some observers who see it ripe for exploitation.

The Electronic Frontier Foundation, a group which promotes civil liberties in the digital realm, ran an independent analysis and confirmed that the Obamacare website was providing consumer information to at least 14 third-party websites, including Doubleclick.net, Yahoo, Google, Twitter and YouTube.

In its analysis, the AP found that data was being shared with “dozens” of third-party vendors, including Facebook.

According to EFF, the personal information was being sent even when “Do Not Track” restrictions — which normally allows users to opt out of tracking by websites they do not visit — had been enabled.

In a blog post using a hypothetical consumer, EFF showed that a web page address sent to Doubleclick contained the personal information:

https://4037109.fls.doubleclick.net/activityi;src=4037109;type=20142003;cat=201420;ord=7917385912018;~oref=https://www.healthcare.gov/see-plans/85601/results/ county=04019&age=40&smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000&&step=4?

The web address provides the hypothetical user’s age, zip code, annual income, smoking status, preganacy status and parental status.

“Sending such personal information raises significant privacy concerns,” EFF’s Cooper Quintin wrote in his analysis.

“A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are,” Quintin continued.

Others voiced concern.

“Anything that is health-related is something very private,” Mehdi Daoudi, the CEO of Catchpoint Systems, told the AP. “Personally, I look at this, and I am on a government website, and I don’t know what is going on between the government and Facebook, and Google, and Twitter. Why is that there?”

Aaron Albright, spokesman at Centers for Medicare and Medicaid Services, denied that the information was being used improperly.

Third-party vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes,” he told the AP.

Healthcare.gov uses the companies in order to create “a simpler, more streamlined and intuitive experience” for consumers, Albright explained.

“It’s especially troubling that the U.S. government is sending personal information to commercial companies on a website that’s touted as the place for people to obtain health care coverage,” EFF’s Quintin wrote.

“If an attacker were able to compromise just one of the third party resources included on healthcare.gov they could potentially compromise the accounts of every user of healthcare.gov,” he warned.

In his State of the Union speech Tuesday, Obama addressed the issue of cyber security, saying that “no foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.”

“And tonight, I urge this Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information,” Obama said, adding that “if we don’t act, we’ll leave our nation and our economy vulnerable.”

Follow Chuck on Twitter