Obamacare

Uh-Oh! Obamacare's Website is Sending Sensitive Personal Information to Marketing and Advertising Companies

But don't worry, sending your private data to HealthCare.gov is perfectly safe.

|

Whitehouse.gov

Since before Obamacare's health insurance exchanges went online, there have been worries about the safety and security of personal data collected by the system. But despite hearings and government watchdog reports saying that necessary security precautions weren't taken, the Obama administration has always assured the public that their data is perfectly secure.

"There's no higher priority than protecting consumer information and maintaining trust for the consumers," Andy Slavitt, who is slated to take over the top post at the Centers for Medicare & Medicaid Services later this year, told Politico last November. 

Turns out we didn't need to worry about hackers breaking into the government's data troves. The government has been secretly sending out sensitive personal data, including age, zip code, and income information, to private advertising and marketing companies, according to a worrying report this evening from the Associated Press

The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms.

The Obama administration says HealthCare.gov's connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.

There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.

There are two big problems here. The first is disclosure. This is being done without the knowledge of most users. And while HealthCare.gov explicitly insists that "no personally identifiable information" is collected on users, the sort of details that it sends out to marketing firms could help advertisers pin down individual identities or personal health information.

The other problem is the security of the data once it's sent elsewhere. Even if the government were taking all the necessary precautions in its own handling of sensitive, personal electronic information—and thanks to the Government Accountability Office we know that it isn't—there's no guarantee that outside marketing analysts will take the same precautions. 

As the AP notes, "The administration did not explain how it ensures that companies were following the government's privacy and security policies." Presumably if security requirements were in place they would be able to say what they are. 

And there are a lot of third parties involved. According to the AP report, there are at least 50 of what it calls "third-party connections" on HealthCare.gov, the federally run Obamacare exchange portal. The connections were caught by a security consultant, and in a test, the AP confirmed that the federal website was sending out information. 

At minimum, the Obama administration's handling of the website security and privacy is sloppy and poorly thought out. Possibly it is dangerous and actively misleading. It's not much of a surprise, given the administration's lacklustre management of the exchanges so far, but even still, it's unsettling. And it's further evidence that when it comes to tech management, the Obama administration simply isn't competent. 

But remember: There's no higher priority than protecting consumer information and maintaining trust for the consumers. This, apparently, is how the Obama administration manages its highest priorities. 

NEXT: Obama Invites a Symbol of Emotion-Driven Gun Control to His SOTU Address

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. What are you going to do about it bitch?

  2. Hey, when I’m wrong I’ll admit it. FINALLY, transparency has come to the Obama administration.

  3. The government, naturally, is exempt from HIPAA.

    If they weren’t, though, this would probably be the rarely seen criminal violation of HIPAA.

    Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

    1. So, Dunphy exposed that pharmacist he intimidated to that. A real piece of work is our constable.

      1. Oh, yeah. Dunphy definitely induced that pharmacist to break federal law.

        Honestly, I doubt it was an actual criminal violation, but it could have been.

        Covered entities and specified individuals, as explained below, who “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.

        1. Naturally, if the police were subject to the same laws as the rest of us, Dunphy would be equally guilty.

          But we know better. Don’t we.

          1. Oh, he’s subject to them, alright. In a theoretical sense. We all know the reality is far different for the King’s Men.

        2. My best guess would be the “personal gain” provision, though that’s pretty weak tea. The personal gain being not arrested by Dunphy for random bullshit broken window status offense.

          Even if the HIPAA charge wouldn’t stick, the RX guy would have been fucked had a prosecutor taken an interest in him.

    2. Look! Over there! Eric Holder is….something something….not really.

      1. Not very adept at world diplomacy?

      2. finally reading the Constitution?

      3. Played basketball at Carver High in the late 70’s?

  4. And while HealthCare.gov explicitly insists that “no personally identifiable information” is collected on users,

    An obvious lie, as under HIPAA definitions this is personally identifiable information, which is a HIPAA term of art:

    The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer’s Internet address, which can identify a person’s name or address

    The HIPAA rules specifically call out zip code and age as personal identifiers that, if present, mean that the info is personally identifiable. Period.

    1. Look! Over there! The administration has NSA spying on North Korea!

  5. The connections were caught by a security consultant, and in a test, the AP confirmed that the federal website was sending out information.

    With mediocre security, having access to some of the data generally means that a motivated party can get access to a lot more of the data.

    And healthcare.gov was built with notoriously shitty security. God knows what a real forensic audit would find.

    1. Look! Over there! Obama’s gonna propose a HUGE tax increase!

  6. lol, everyone else does to so whats the big deal?

    http://www.BestAnon.tk

  7. RC Dean, I have one word for you:

    BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOSH!

    1. Exactly! Say it loud, brother! Tell that man with his knowledge and facts that Bush/Cheney/1%ers/racists that my healthcare is more important. I NEED IT.

  8. This is one of those many instances in which I trust the government much more than you dirty 1%ers. Give me my free fucking healthcare.

  9. Get your paws off my personally identifiable information, you damned, dirty website!

  10. Obviously the worst sort of racism. FORWARD!!1!eleventy

  11. “We’re from the government. We’re here to help.”

  12. Another question:

    These 50 outside firms who now have access to data. How were they chosen? Campaign contributions? Employment of administration relatives? What?

    1. Yes.

  13. Incredible. This is literally the same administration that this very week railed against companies getting and using student personal data from colleges. It’s like our Executive is a running SNL skit.

    1. I hate you mostly for your marginal redeemability, BCE.

      1. Marginal Redeemability

        Great title for an album by the band Industrious Whores

  14. There are teenagers that create websites by themselves to conduct commerce which didn’t take as long as the ACA website, didn’t cost as much, and don’t release personal information.

    1. Yeah, but they typically have an IQ number higher than their age. Not the O admin…

  15. “The Obama administration says HealthCare.gov’s connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.”

    Huh?

    Using data to provide a service under a government contract for which they are paid is not “using the data to further their own business interests?” I’d say that that is exactly what they are doing.

    Do Obama administration officials ever think before they speak?

Please to post comments

Comments are closed.