The healthcare.gov site is sharing personal information about visitors to its site to third-party advertisers, according to a report by The Associated Press.
The website for the federal healthcare exchange provides advertising networks with information such as the visitor’s age, annual income, zip code and state, whether he or she smokes, whether she is pregnant, and whether the person has children, according to the AP report.
The data, along with the computer IP address, was included with the referral header information on users sent to outside advertisers. The Electronic Frontier Foundation found the information was being sent even if the user had enabled “Do Not Track” on the browser.
While there is no evidence that personal information has been misused, the data has already been provided to at least 14 outside domains.
The fact that the data was provided by a healthcare portal was “negligent at best” and could be “potentially devastating” if misused, said Cooper Quintin, a technologist with the EFF. Considering how sensitive health information is, people’s private medical data should not be available to third party companies without consent from the user, he said.
“It’s especially troubling that the U.S. government is sending personal information to commercial companies on a website that’s touted as the place for people to obtain health care coverage,” said Quintin.
Advertising networks can show targeted ads based on the information and data culled from tracking cookies to users. While third-party sites embedded on HealthCare.gov can’t see the visitor’s name, birth date or Social Security number, they may be able to correlate that person’s visit to healthcare.gov to other places on the Internet.
If the visitor was researching coronary disease, looking at stop-smoking aids, or researching pregnancy-related information, these can be linked together in a detailed profile of that person and show those targeted ads.
“This new information is extremely concerning, not only because it violates the privacy of millions of Americans, but because it may potentially compromise their security,” Senators Orrin Hatch, R-Utah, and Charles Grassley, R-Iowa, wrote in a letter to the administration.
Outside vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes,” administration spokesman Aaron Albright told AP. HealthCare.gov’s privacy policy says “no personally identifiable information is collected” by these third-party tools.
The EFF recommended healthcare.gov disable third-party trackers for any user that requests a clear opt out using the browser’s DNT header.
“I think that this could erode … confidentiality when dealing with medical data and medical information,” said Quintin.