Healthcare.gov has flaws, but revealing private information to web advertisers should not be one of them. Unfortunately, apparently it is.
We can be honest, the Healthcare.gov website has had its series of flaws. But today’s revelation from the Electronic Freedom Foundation just might be the worst of all. After all, we are entrusting several overarching federal agencies to ensure our healthcare needs. These include HHS, Homeland Security, and not the least of which the IRS.
It is apparently Affordable Care Act enrollment time. How do I know? Because healthcare.gov keeps spamming to let me know. Even though I have insurance through my workplace and do not need to enroll for the ACA, I still get crazy amounts of email, reminding me that I need to sign up.
However, am I glad I didn’t.
Today it came out that in addition to the well known technical issues with the website, there was a new problem. When sending information between pages, and other sites in the Healthcare.gov ecosystem, they were sending your Personal Health Information / Personally Identifiable Information (PHI/PII) along with the the requests for other website(s). Even more concerning was the way they were pushing the information to the “partner” websites.
Now, let’s look at an example. DoubleClick is an online advertising agency, owned by Google. Yes, that Google, who has had several different issues with consumer privacy before today. From this string, we now know you are 40, Not a Smoker, Not pregnant, you live in Zip Code 85601, which is located in (Southern) Arizona and your income is around $35,000.00
From that I can learn much more about you. Not only that, but the tracking abilities down to the computer by DoubleClick and Google companies are somewhat mind-blowing when it comes to what data they can actually see.
Now before you get comfortable and think “Well, it is just Google who has this information,” the EFF found that there were actually 12 companies who were able to receive your personal health information as a result of this information being sent.
The only one on here that makes any sense is Akamai, because they are a large Content Delivery network, (basically a way to make a website run faster by spreading the load out) but why does Twitter need my PHI/PII sent to them?
From a nerdy, design standpoint it seems like they would have their partner sites using encrypted session requests to pull session information as necessary, not sending it in clear text referral calls. This method used on Healthcare.gov seems to be easier from a programatic standpoint, but when you are asking citizens to sign up for your already controversial service, you might want to take the extra step and secure the information.
It seems like that with President Obama expected to make a big push for cybersecurity and internet security reforms, this would be the last thing we would want to find out. But it is concerning, and I am hoping someone who can investigate this issue will. Because after all, we know who we can go to when a HIPPA violation occurs, but who do we call when the HIPPA violation is being done by the office ensured to protect our information?