Uh-Oh! Obamacare's Website is Sending Sensitive Personal Information to Marketing and Advertising Companies

But don't worry, sending your private data to HealthCare.gov is perfectly safe.

Peter Suderman | 1.20.2015 6:25 PM

Your personal information wants to be free. — Whitehouse.gov

Since before Obamacare's health insurance exchanges went online, there have been worries about the safety and security of personal data collected by the system. But despite hearings and government watchdog reports saying that necessary security precautions weren't taken, the Obama administration has always assured the public that their data is perfectly secure.

"There's no higher priority than protecting consumer information and maintaining trust for the consumers," Andy Slavitt, who is slated to take over the top post at the Centers for Medicare & Medicaid Services later this year, told Politico last November.

Turns out we didn't need to worry about hackers breaking into the government's data troves. The government has been secretly sending out sensitive personal data, including age, zip code, and income information, to private advertising and marketing companies, according to a worrying report this evening from the Associated Press:

The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms.

The Obama administration says HealthCare.gov's connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.

There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.

There are two big problems here. The first is disclosure. This is being done without the knowledge of most users. And while HealthCare.gov explicitly insists that "no personally identifiable information" is collected on users, the sort of details that it sends out to marketing firms could help advertisers pin down individual identities or personal health information.

The other problem is the security of the data once it's sent elsewhere. Even if the government were taking all the necessary precautions in its own handling of sensitive, personal electronic information—and thanks to the Government Accountability Office we know that it isn't—there's no guarantee that outside marketing analysts will take the same precautions.

As the AP notes, "The administration did not explain how it ensures that companies were following the government's privacy and security policies." Presumably if security requirements were in place they would be able to say what they are.

And there are a lot of third parties involved. According to the AP report, there are at least 50 of what it calls "third-party connections" on HealthCare.gov, the federally run Obamacare exchange portal. The connections were caught by a security consultant, and in a test, the AP confirmed that the federal website was sending out information.

At minimum, the Obama administration's handling of the website security and privacy is sloppy and poorly thought out. Possibly it is dangerous and actively misleading. It's not much of a surprise, given the administration's lacklustre management of the exchanges so far, but even still, it's unsettling. And it's further evidence that when it comes to tech management, the Obama administration simply isn't competent.

But remember: There's no higher priority than protecting consumer information and maintaining trust for the consumers. This, apparently, is how the Obama administration manages its highest priorities.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Obama Invites a Symbol of Emotion-Driven Gun Control to His SOTU Address

Hide Comments (33)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

AlmightyJB 9 years ago

What are you going to do about it bitch?
Libertarian 9 years ago

Hey, when I’m wrong I’ll admit it. FINALLY, transparency has come to the Obama administration.
R C Dean 9 years ago

The government, naturally, is exempt from HIPAA.
If they weren’t, though, this would probably be the rarely seen criminal violation of HIPAA.
Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
1. Tonio 9 years ago
  
  So, Dunphy exposed that pharmacist he intimidated to that. A real piece of work is our constable.
  1. R C Dean 9 years ago
    
    Oh, yeah. Dunphy definitely induced that pharmacist to break federal law.
    Honestly, I doubt it was an actual criminal violation, but it could have been.
    Covered entities and specified individuals, as explained below, who “knowingly” obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
    1. R C Dean 9 years ago
      
      Naturally, if the police were subject to the same laws as the rest of us, Dunphy would be equally guilty.
      But we know better. Don’t we.
      1. Tonio 9 years ago
        
        Oh, he’s subject to them, alright. In a theoretical sense. We all know the reality is far different for the King’s Men.
    2. Tonio 9 years ago
      
      My best guess would be the “personal gain” provision, though that’s pretty weak tea. The personal gain being not arrested by Dunphy for random bullshit broken window status offense.
      Even if the HIPAA charge wouldn’t stick, the RX guy would have been fucked had a prosecutor taken an interest in him.
2. Almanian! 9 years ago
  
  Look! Over there! Eric Holder is….something something….not really.
  1. Crusty Juggler 9 years ago
    
    Not very adept at world diplomacy?
  2. wareagle 9 years ago
    
    finally reading the Constitution?
  3. Tonio 9 years ago
    
    Retiring?
  4. Crusty Juggler 9 years ago
    
    Played basketball at Carver High in the late 70’s?
R C Dean 9 years ago

And while HealthCare.gov explicitly insists that “no personally identifiable information” is collected on users,
An obvious lie, as under HIPAA definitions this is personally identifiable information, which is a HIPAA term of art:
The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer’s Internet address, which can identify a person’s name or address
The HIPAA rules specifically call out zip code and age as personal identifiers that, if present, mean that the info is personally identifiable. Period.
1. Almanian! 9 years ago
  
  Look! Over there! The administration has NSA spying on North Korea!
R C Dean 9 years ago

The connections were caught by a security consultant, and in a test, the AP confirmed that the federal website was sending out information.
With mediocre security, having access to some of the data generally means that a motivated party can get access to a lot more of the data.
And healthcare.gov was built with notoriously shitty security. God knows what a real forensic audit would find.
1. Almanian! 9 years ago
  
  Look! Over there! Obama’s gonna propose a HUGE tax increase!
userve32 9 years ago

lol, everyone else does to so whats the big deal?
http://www.BestAnon.tk
Almanian! 9 years ago

RC Dean, I have one word for you:
BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOSH!
1. Crusty Juggler 9 years ago
  
  Exactly! Say it loud, brother! Tell that man with his knowledge and facts that Bush/Cheney/1%ers/racists that my healthcare is more important. I NEED IT.
Crusty Juggler 9 years ago

This is one of those many instances in which I trust the government much more than you dirty 1%ers. Give me my free fucking healthcare.
Almanian! 9 years ago

Get your paws off my personally identifiable information, you damned, dirty website!
Tonio 9 years ago

Obviously the worst sort of racism. FORWARD!!1!eleventy
The Late P Brooks 9 years ago

“We’re from the government. We’re here to help.”
R C Dean 9 years ago

Another question:
These 50 outside firms who now have access to data. How were they chosen? Campaign contributions? Employment of administration relatives? What?
1. Pl?ya Manhattan. 9 years ago
  
  Yes.
2. Tonio 9 years ago
  
  Top. Men.
Bo Cara Esq. 9 years ago

Incredible. This is literally the same administration that this very week railed against companies getting and using student personal data from colleges. It’s like our Executive is a running SNL skit.
1. Tonio 9 years ago
  
  I hate you mostly for your marginal redeemability, BCE.
  1. Mainer2 9 years ago
    
    Marginal Redeemability
    Great title for an album by the band Industrious Whores
Chumby 9 years ago

There are teenagers that create websites by themselves to conduct commerce which didn’t take as long as the ACA website, didn’t cost as much, and don’t release personal information.
1. Sevo 9 years ago
  
  Yeah, but they typically have an IQ number higher than their age. Not the O admin…
Number 2 9 years ago

“The Obama administration says HealthCare.gov’s connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.”
Huh?
Using data to provide a service under a government contract for which they are paid is not “using the data to further their own business interests?” I’d say that that is exactly what they are doing.
Do Obama administration officials ever think before they speak?

Please log in to post comments

Uh-Oh! Obamacare's Website is Sending Sensitive Personal Information to Marketing and Advertising Companies

But don't worry, sending your private data to HealthCare.gov is perfectly safe.

Latest

Capitalism Makes Society Less Racist

The Alarming Implications of Trump's Immunity Claim

New Georgia Law Allows Birthing Centers To Open Without Needing Permission From Nearby Hospitals

It Took Me Months To Get the ADHD Meds the DEA Says Are Overprescribed

Costly Complexity

Recommended

Login Form