This story was originally published by The Markup. It is currently part of Calmatters. sign up For their newsletter.National Healthcare websites across the country are intended to provide an easy way to shop for insurance, quietly sending sensitive health information from visitors to Google and social media companies. Data including prescription drug names and dosages were sent by state exchange web trackers set up under the Affordable Care Act to help Americans purchase health insurance. The Exchange website asks users to answer a set of questions about their health history to find the most relevant information about their plans. However, in some cases, when a visitor answered a sensitive question, an invisible tracker sent the information to platforms such as Google, LinkedIn, Snapchat and others. Markup and Calmatters have audited websites in all 19 states that operate their own online health exchanges independently. While most sites contained some sort of ad tracker, Markup and Calmatters found that four states were exposing sensitive health information from visitors. Nevada Health Link, a Nevada exchange, helps you ask visitors for a prescription that includes the name and dosage of the medication and find the best option for your health insurance. When visitors begin typing, it suggests certain medications such as antidepressants, birth control, and hormone therapy. When visitors answered questions, their responses were sent to LinkedIn and Snapchat, according to tests conducted by Markup and Calmatters in April and May.
Use your money wisely: Sign up for USA Today’s Daily Money Newsletter.
On the other side of the country, CoverMe.gov, a Maine exchange, sent information on drug prescriptions and administration to Google via an analytical tool. They also sent out names of doctors and hospitals that people visited before.
Exchange, HealthSource RI, Rhode Island, has sent prescribing information, dosage and doctor’s name to Google.
Another exchange, Massachusetts Health Connector, told LinkedIn whether the visitor said he was pregnant, blind or disabled.
Nevada Health Exchange stopped sending visitors data to Snapchat after contacting Markup and Calmatters, and Massachusetts stopped sending data to LinkedIn. Additionally, Markup and Calmatters discovered that Nevada stopped sending data to LinkedIn early May when the tests were conducted.
Markup and Karmatta discovered the share after discovering that the California exchange, which covered California, told LinkedIn when visitors showed they were blind, pregnant or victims of domestic violence.
Experts said that the state health exchanges use the use of advertising trackers was awkward, if not entirely surprising. Tools like this help organizations reach visitors and coordinate their ads. Google Analytics allows website operators to better understand who is coming to their site and optimize their ad campaigns. LinkedIn and Snap Trackers are targeting social media ads by businesses, just like Meta’s similar products.
Nevada Exchange, Russell Cook, executive director of the state agency that operates the Silver State Health Insurance Exchange, says Nevada uses trackers to help target marketing for uninsured residents.
However, healthcare services need to pay particular attention to these tools, says John Haskell, a data privacy lawyer who previously worked as an investigator for the Department of Health and Human Services.
“It’s not surprising that organizations with these large tech stacks that rely on third-party resources don’t fully understand what configuration is, the flow of data, and what that data is being used when they go to someone. “It’s something that needs to be addressed.”
How did national exchange data tie into user identity?
After Markup and Calmatters reported on the sharing of health data between California and LinkedIn, Exchange said it would remove the tracker and review data practices. The news sparked class action lawsuits and questions from federal lawmakers.
Markup and Calmatters then looked at websites run by 18 states outside of California and Washington, DC, to see what information users shared as they navigated them. This site was established under the Affordable Care Act. This requires the state to provide health insurance either through their own exchanges or through federally operated exchanges.
To test them, Markup and Calmatters first ran the site through Blacklight, a tool they developed to reveal web trackers. We then looked at the site’s network traffic and looked at the data the tracker received when the visitors filled out the form.
The results showed that 18 used some type of tracker. Some were filled with them. Nevada, for example, used nearly 50. In contrast, Blacklight was unable to find any kind of tracker in the Washington, DC exchange. Popular websites use an average of seven trackers, according to Blacklight scans of most 100,000 people on the web.
Many of the sites used trackers in relatively harmless ways, such as counting page views.
Four exchange markups and Calmatters found that they share sensitive health data, which sent out various answers to questions about tracking.
In a statement, Cook said the tracker, located by his Nevada agency, “incorrectly obtains information about the name and dosage of a prescription drug,” and sent it to LinkedIn and Snapchat.
Cook acknowledged that such data was “completely unrelated to marketing activities,” and said the audit disabled pending tracking software.
“Personally identifiable information is not part of the tool’s structure, and no personally identifiable information is shared in any way through the tool’s user’s IP address,” Massachusetts Health Connector spokesman Jason Lefferts said in a statement. However, LinkedIn’s tracker documents reveal that the information they receive correlates with a specific LinkedIn account, allowing businesses to use their data for features such as website visitors retargeting. The company’s documents also state that it would obscure this information later and would eventually delete it.
A spokesmouth for Rhode Island and Main Health Exchange said they will pay in the vendor’s consumer checkbook to implement another site where visitors can explore plans available through the state exchange. Confidential information has been shared with Google from these sites. The consumer checkbook site is located on a different web address than the exchange site, but is prominently linked on the Exchange site and displays the same brand, like the State Health Exchange logo, so the average visitor won’t notice that the state is not in the state-run domain.
HealthSource RI spokesman Christina Spaight O’Reilly said that the company uses Google Analytics to study trends, but rather than serving ads, “disable Google Signals Data Collection to ensure that it is not shared with Google Ads for viewers creation and personalisation, and is not linked to Google Ads cookies or identifiers.” She noted that HealthSource RI’s terms of service refers to the use of Google Analytics. A spokesman for CoverMe.gov cited a similar point, saying that he “does not collect or retain data entered into the tool.”
The consumer checkbook declined to comment beyond the exchange’s statement.
All exchanges said that no individually identifiable health information such as names or addresses has been sent to third parties. However, the point of the tracker is to enhance information about users that the platform already has for that user, with all trackers found in markup and Calmatters recording details about individual visitors, including their operating system, browser, device, and visit times.
In response to requests for comment, tech companies whose trackers have been uniformly researched have said they do not want to send potentially sensitive health data to their organizations, and doing so is against their terms of service.
“By default, data sent to Google Analytics does not identify individuals, and we have strict policies against collecting private health information and advertising based on sensitive information,” said Steve Ganem, head of product management at Google Analytics. LinkedIn spokesman Brionna Ruff said advertisers are not allowed to “target ads based on sensitive data categories” such as health issues. A spokesman for Snapchat owner Snap said the same, noting that sending out a purchase of consumables like a prescription would violate the company’s rules regarding sensitive data.
The Google Analytics Information page provides specific information on how organizations using the company’s tools comply with the Portability and Accountability Act of Health Insurance, which protects health data. The page states, “Google does not represent that Google Analytics meets the HIPAA requirements.”
“It is important to ensure that the implementation of Google Analytics and the data on which visitors are collected meets all applicable legal requirements,” the page reads.
More incidents
It’s not just health sites that send medical information to social media companies. In 2022, Markup revealed that numerous hospital websites were sharing information with Facebook’s parent company Meta via a tool called the Meta Pixel. The hospital faced scrutiny and legal action from Congress. Another markup survey found that trackers about online drugstore visitors recorded information about HIV testing and purchasing Plan B. In 2023, New York hospitals agreed to pay a $300,000 fine for violations of the Health Insurance Portable and Accountability Act. The law can be applied to businesses that use these trackers. Some plaintiffs argue that they should use state laws like California to compensate for sending health data to third parties without their consent. Others argue that this type of pursuit violates the eavesdropping and assault laws. “The organization has not invested enough time and resources to properly review everything,” Haskell said. Haskell advises clients to be extremely careful about the information they track on their site. “When the organization was saying, “We didn’t understand that there was a specific configuration of this tool that we’re using.” do not have Leave it to you. ”
