Uh-Oh! Obamacare's Website is Sending Sensitive Personal Information to Marketing and Advertising Companies

But don't worry, sending your private data to HealthCare.gov is perfectly safe.

Peter Suderman | 1.20.2015 6:25 PM

Your personal information wants to be free. — Whitehouse.gov

Since before Obamacare's health insurance exchanges went online, there have been worries about the safety and security of personal data collected by the system. But despite hearings and government watchdog reports saying that necessary security precautions weren't taken, the Obama administration has always assured the public that their data is perfectly secure.

"There's no higher priority than protecting consumer information and maintaining trust for the consumers," Andy Slavitt, who is slated to take over the top post at the Centers for Medicare & Medicaid Services later this year, told Politico last November.

Turns out we didn't need to worry about hackers breaking into the government's data troves. The government has been secretly sending out sensitive personal data, including age, zip code, and income information, to private advertising and marketing companies, according to a worrying report this evening from the Associated Press:

The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms.

The Obama administration says HealthCare.gov's connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.

There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.

There are two big problems here. The first is disclosure. This is being done without the knowledge of most users. And while HealthCare.gov explicitly insists that "no personally identifiable information" is collected on users, the sort of details that it sends out to marketing firms could help advertisers pin down individual identities or personal health information.

The other problem is the security of the data once it's sent elsewhere. Even if the government were taking all the necessary precautions in its own handling of sensitive, personal electronic information—and thanks to the Government Accountability Office we know that it isn't—there's no guarantee that outside marketing analysts will take the same precautions.

As the AP notes, "The administration did not explain how it ensures that companies were following the government's privacy and security policies." Presumably if security requirements were in place they would be able to say what they are.

And there are a lot of third parties involved. According to the AP report, there are at least 50 of what it calls "third-party connections" on HealthCare.gov, the federally run Obamacare exchange portal. The connections were caught by a security consultant, and in a test, the AP confirmed that the federal website was sending out information.

At minimum, the Obama administration's handling of the website security and privacy is sloppy and poorly thought out. Possibly it is dangerous and actively misleading. It's not much of a surprise, given the administration's lacklustre management of the exchanges so far, but even still, it's unsettling. And it's further evidence that when it comes to tech management, the Obama administration simply isn't competent.

But remember: There's no higher priority than protecting consumer information and maintaining trust for the consumers. This, apparently, is how the Obama administration manages its highest priorities.

Start your day with Reason. Get a daily brief of the most important stories and trends every weekday morning when you subscribe to Reason Roundup.

NEXT: Obama Invites a Symbol of Emotion-Driven Gun Control to His SOTU Address

Hide Comments (33)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

AlmightyJB 10 years ago

What are you going to do about it bitch?
Libertarian 10 years ago

Hey, when I'm wrong I'll admit it. FINALLY, transparency has come to the Obama administration.
R C Dean 10 years ago

The government, naturally, is exempt from HIPAA.

If they weren't, though, this would probably be the rarely seen criminal violation of HIPAA.

Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.
1. Tonio 10 years ago
  
  So, Dunphy exposed that pharmacist he intimidated to that. A real piece of work is our constable.
  1. R C Dean 10 years ago
    
    Oh, yeah. Dunphy definitely induced that pharmacist to break federal law.
    
    Honestly, I doubt it was an actual criminal violation, but it could have been.
    
    Covered entities and specified individuals, as explained below, who "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year.
    1. R C Dean 10 years ago
      
      Naturally, if the police were subject to the same laws as the rest of us, Dunphy would be equally guilty.
      
      But we know better. Don't we.
      1. Tonio 10 years ago
        
        Oh, he's subject to them, alright. In a theoretical sense. We all know the reality is far different for the King's Men.
    2. Tonio 10 years ago
      
      My best guess would be the "personal gain" provision, though that's pretty weak tea. The personal gain being not arrested by Dunphy for random bullshit broken window status offense.
      
      Even if the HIPAA charge wouldn't stick, the RX guy would have been fucked had a prosecutor taken an interest in him.
2. Almanian! 10 years ago
  
  Look! Over there! Eric Holder is....something something....not really.
  1. Crusty Juggler 10 years ago
    
    Not very adept at world diplomacy?
  2. wareagle 10 years ago
    
    finally reading the Constitution?
  3. Tonio 10 years ago
    
    Retiring?
  4. Crusty Juggler 10 years ago
    
    Played basketball at Carver High in the late 70's?
R C Dean 10 years ago

And while HealthCare.gov explicitly insists that "no personally identifiable information" is collected on users,

An obvious lie, as under HIPAA definitions this is personally identifiable information, which is a HIPAA term of art:

The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address

The HIPAA rules specifically call out zip code and age as personal identifiers that, if present, mean that the info is personally identifiable. Period.
1. Almanian! 10 years ago
  
  Look! Over there! The administration has NSA spying on North Korea!
R C Dean 10 years ago

The connections were caught by a security consultant, and in a test, the AP confirmed that the federal website was sending out information.

With mediocre security, having access to some of the data generally means that a motivated party can get access to a lot more of the data.

And healthcare.gov was built with notoriously shitty security. God knows what a real forensic audit would find.
1. Almanian! 10 years ago
  
  Look! Over there! Obama's gonna propose a HUGE tax increase!
userve32 10 years ago

lol, everyone else does to so whats the big deal?

http://www.BestAnon.tk
Almanian! 10 years ago

RC Dean, I have one word for you:

BOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOSH!
1. Crusty Juggler 10 years ago
  
  Exactly! Say it loud, brother! Tell that man with his knowledge and facts that Bush/Cheney/1%ers/racists that my healthcare is more important. I NEED IT.
Crusty Juggler 10 years ago

This is one of those many instances in which I trust the government much more than you dirty 1%ers. Give me my free fucking healthcare.
Almanian! 10 years ago

Get your paws off my personally identifiable information, you damned, dirty website!
Tonio 10 years ago

Obviously the worst sort of racism. FORWARD!!1!eleventy
The Late P Brooks 10 years ago

"We're from the government. We're here to help."
R C Dean 10 years ago

Another question:

These 50 outside firms who now have access to data. How were they chosen? Campaign contributions? Employment of administration relatives? What?
1. Pl?ya Manhattan. 10 years ago
  
  Yes.
2. Tonio 10 years ago
  
  Top. Men.
Bo Cara Esq. 10 years ago

Incredible. This is literally the same administration that this very week railed against companies getting and using student personal data from colleges. It's like our Executive is a running SNL skit.
1. Tonio 10 years ago
  
  I hate you mostly for your marginal redeemability, BCE.
  1. Mainer2 10 years ago
    
    Marginal Redeemability
    
    Great title for an album by the band Industrious Whores
Chumby 10 years ago

There are teenagers that create websites by themselves to conduct commerce which didn't take as long as the ACA website, didn't cost as much, and don't release personal information.
1. Sevo 10 years ago
  
  Yeah, but they typically have an IQ number higher than their age. Not the O admin...
Number 2 10 years ago

"The Obama administration says HealthCare.gov's connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests."

Huh?

Using data to provide a service under a government contract for which they are paid is not "using the data to further their own business interests?" I'd say that that is exactly what they are doing.

Do Obama administration officials ever think before they speak?

Please log in to post comments

Uh-Oh! Obamacare's Website is Sending Sensitive Personal Information to Marketing and Advertising Companies

But don't worry, sending your private data to HealthCare.gov is perfectly safe.

Latest

The Senate Just Passed Rand Paul's Bill To Block Trump's Tariffs on Canada

Joe Rogan Is Right: It Is 'Kind of Crazy' To Deport Innocent People Mistakenly Identified As Gang Members

Javier Milei's Free Market Reforms Are Starting To Pay Off

Americans Are Deeply Skeptical of Trump's 'Liberation Day' Tariffs

Can Trump Broker a TikTok Sale Before the April 5 Deadline?

Recommended

Login Form