The Associated Press reports that healthcare.gov–the flagship site of the Affordable Care Act, where millions of Americans have signed up to receive health care–is quietly sending personal health information to a number of third party websites. The information being sent includes one's zip code, income level, smoking status, pregnancy status and more.
EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.
In some cases the information is also sent embedded in the request string itself, like so:
https://4037109.fls.doubleclick.net/activityi;src=4037109;
type=20142003;cat=201420;ord=7917385912018;~oref=https://www.
healthcare.gov/see-plans/85601/results/?county=04019&age=40& smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000& &step=4?
In the above example, a URL at doubleclick.net is requested by your browser. Appended to the end of this URL is your age, smoking status, preganacy status, parental status, zip code, state and annual income. This URL is requested by your browser after you fill out the required information on healthcare.gov and click the button to view health insurance plans that you are eligible for.
The following is a table showing which third party domains EFF researchers confirmed were receiving the private health data.
Domain | PII in referrer | PII in request |
Akamai.net | ✓ | |
Chartbeat.net | ✓ | ✓ |
Clicktale.net | ✓ | |
Doubleclick.net | ✓ | ✓ |
Google.com | ✓ | ✓ |
Mathtag.com | ✓ | |
Mixpanel.com | ✓ | |
Nrd-data.net | ✓ | |
Optimizely.com | ✓ | ✓ |
Reson8.com | ✓ | |
Rfihub.com | ✓ | |
Twitter.com | ✓ | |
Yahoo.com | ✓ | |
Youtube.com | ✓ |
Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker.1 Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman's family that she was pregnant before she even told them.
It's especially troubling that the U.S. government is sending personal information to commercial companies on a website that's touted as the place for people to obtain health care coverage. Even more troubling is the potential for companies like Doubleclick, Google, Twitter, Yahoo, and others to associate this data with a person's actual identity. Google, thanks to real name policies, certainly has information uniquely identifying someone using Google services. If a real identity is linked to the information received from healthcare.gov it would be a massive violation of privacy for users of the site.
Third-party resources could also introduce additional security risks to the healthcare.gov website, with each included third-party resource increasing the attack surface of the site. If an attacker were able to compromise just one of the third party resources included on healthcare.gov they could potentially compromise the accounts of every user of healthcare.gov. The attacker could then sell the Private Health Information or hold it for ransom.
For now, EFF recommends installing software that will block third party tracking, such as EFF's own Privacy Badger. Privacy badger will block the referrers and the connections to third party sites on healthcare.gov and protect your personal health information.
Health information is some of the most sensitive and personal information there is. People's private medical data should not be available to third party companies without consent from the user. This practice is negligent at best, and potentially devastating for consumers. At a miminum, healthcare.gov should disable third-party trackers for any user that requests an opt out using the DNT header. Arguably, healthcare.gov should meet good privacy standards for all its users.
President Obama will give his State of the Union speech tonight, in which he is expected to address cybersecurity issues. If President Obama is really concerned about cybersecurity, he may want to start in his own backyard, by securing healthcare.gov.