Healthcare.gov has been plagued with allegations of data insecurity that began before it even went live. Now the Associated Press has found that personal data, like age, marital status, zip code, and parental status is being sent out to third party services, some of which are commercial enterprises.
Technology experts documented the connections, and the AP reportedly confirmed the links between Healthcare.gov and external commercial firms. “There is no evidence that personal information has been misused” the AP reports, however “A handful of the companies were also collecting highly specific information.” Correlating this kind of data, such as smoker status, could lead companies to advertising smoking cessation aids, or cancer treatments.
This may seem like an anonymized exposure of personal data, other indicators, like IP address, could lead to very targeted data exploitation. According to the Electronic Frontier Foundation, the requested data appears in URL’s that are sent to third parties, and the personal information is readily identifiable.
In one example, Cooper Quintin — a staff technologist for the EFF — notes:
Google, thanks to real name policies, certainly has information uniquely identifying someone using Google services. If a real identity is linked to the information received from healthcare.gov it would be a massive violation of privacy for users of the site.
Aside from data mining, the other major concern is that this data could fall into the wrong hands. “You don’t need all of that data to do customer service,” former White House chief information officer, Theresa Payton told AP. “We know hackers are just waiting at the door, salivating to get at this data.”
Official government sources have stated that the security infrastructure around Healthcare.gov is robust. Andy Slavitt, the man in charge of the health care exchange and principal deputy administrator at the Centers for Medicare & Medicaid Services, has said that security concerns are misplaced, and that previous breaches to the system has been very minor.
Many consider user data to be sacrosanct, especially when its information pertaining to health care. Threats on the internet are varied and numerous, but ultimately the exploitation of user data by profit-seeking companies may be the most worrying thing about these revelations. Still, Healthcare.gov seems to be getting very close to its signup targets, so not everyone is concerned.
Screenshot courtesy of Healthcare.gov.