Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Advertising Government Privacy Security

Healthcare.gov Sends Personal Data To Over a Dozen Tracking Websites 204

An anonymous reader tips an Associated Press report saying that Healthcare.gov is sending users' personal data to private companies. The information involved is typical ad-related analytic data: "...it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms." The Electronic Frontier Foundation confirmed the report, saying that data is being sent from Healthcare.gov to at least 14 third-party domains.

The EFF says, "Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker. Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman's family that she was pregnant before she even told them. "
This discussion has been archived. No new comments can be posted.

Healthcare.gov Sends Personal Data To Over a Dozen Tracking Websites

Comments Filter:
  • by Anonymous Coward

    You didn't need to be a drooling FoxNews zombie to see that Healthcare.gov was a bad idea.

    • by jandersen ( 462034 ) on Wednesday January 21, 2015 @10:18AM (#48865189)

      You didn't need to be a drooling FoxNews zombie to see that Healthcare.gov was a bad idea.

      But the reason it is a bad idea is not that all government does is bad - rather this illustrates why things like this should be managed by a body that is guaranteed to not be in bed with business and is stricly regulated. Whether or not this can be called corruption in the legal sense, it certainly is morally corrupt.

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        There is no such thing as "a body that is guaranteed to not be in bed with business."

        Also, "strictly regulated" often just means "whitewashed by some taxpayer-funded agency with no teeth."

        Rather than "strictly regulated" we need "transparent and publicly accountable" in order to resist corruption.

      • Tell me, when is Government not in bed with business? Crony Capitalism is no better than a corrupt Bureaucracy that targets citizens, instead of serving them.

        Government isn't the solution to problems, it is largely responsible for them. Here is the process.

        People complain about problem, government "Fixes" the problem, but generates three new problems. Repeat.

        And fixing the problems government creates is as simple as raising taxes and giving the money away to voters. All those programs and shit that we spend

  • There's nowhere to escape the targeted ads and you can't turn them off.

  • Why? (Score:5, Insightful)

    by Anonymous Coward on Wednesday January 21, 2015 @08:20AM (#48864305)

    The only purpose it serves is to completely erase all trust. Who gets fired?

  • Wow... Just "no". (Score:5, Insightful)

    by pla ( 258480 ) on Wednesday January 21, 2015 @08:22AM (#48864315) Journal
    In what universe does a government website selling personal info to advertisers count as even remotely fucking acceptable???

    This doesn't "raise significant privacy concerns", it sends a great big middle finger to the American public from its own elected officials. I don't care about the "potential" for misuse - I care that someone even considered the possibility of using healthcare.gov to siphon off PII.

    Uncle Sam needs to retire.
    • by gstoddart ( 321705 ) on Wednesday January 21, 2015 @08:30AM (#48864357) Homepage

      In what universe does a government website selling personal info to advertisers count as even remotely fucking acceptable???

      One in which some asshole has decided it needs to run for a profit, or on a cost recovery basis ... and with zero regard for patient confidentiality.

      I agree with you, and any sane country with privacy laws would be appalled -- and you'd expect this to violate some HIPAA laws.

      Essentially this demonstrates the problems with analytics -- is some asshole you don't have anything to do with gets to know everything you do and everything about you.

      That's utterly insane, and if it isn't, it should be illegal.

      But somehow it seems that ensuring the profits of corporations is more important than privacy and the act of restricting what corporations do is unthinkable to some.

      • I agree with you, and any sane country with privacy laws would be appalled -- and you'd expect this to violate some HIPAA laws.

        That's utterly insane, and if it isn't, it should be illegal.

        i think it actually might be violating HIPAA. someone should be going to jail for this, whether they do or not is a different matter.

        • i think it actually might be violating HIPAA

          Nope. Because they're not covered by HIPAA. Only "covered entities" have to comply with HIPAA privacy regulations and, guess what? The government is not a covered entity.

          • Re:Wow... Just "no". (Score:4, Informative)

            by The Fifth Man ( 99745 ) on Wednesday January 21, 2015 @10:11AM (#48865119)

            "only "covered entities" have to comply with HIPAA privacy regulations and, guess what? The government is not a covered entity."

            Hi, HIPAA guy here. This is most assuredly incorrect. Popular misconception though.

            Per HHS' own rules, the site operates as a Business Associate and is fully covered by HIPAA.

            http://www.hhs.gov/ocr/privacy... [hhs.gov]

            • Suggestion: Everyone go report this as a HIPAA violation [hhs.gov].
            • by dAzED1 ( 33635 )
              to be fair, this was only really clear starting with Omnibus - prior to that, HIPAA relied a lot on common sense and a personal sense of ethics from the reader. Fortunately, the semi-retroactive nature of it to 2009, plus Omnibus being released 9 months prior to healthcare.gov, means that yes - the government faces stiff penalties of paying itself money (amount=irrelevant, since paying self) and the BAs made $1.7BILLION for making a farking WEBSITE for fark's sake, so I don't think the 1.5M max fine will r
        • IANAHipaa expert, but I would guess that since it is only providing anonymous info, it does not fall under hippo restrictions. That doesn't make it right, or even ethical, but it's probably not illegal.

          Also, I don't think people can go to jail for HIPAA violations.

          • Anonymizing protected health information (while still retaining value for person-specific marketing purposes) can be difficult (if not impossible). Here's a link to an article that talks about the kind of identifiers that would have to be scrubbed.

            http://www.hhs.gov/ocr/privacy... [hhs.gov]

            Scroll down to the table that describes the "safe harbor" method of deidentifying data.

            Age is a problem. Additionally, if a person's identity can be as easily determined using other readily accessible information (as the summary

        • by AK Marc ( 707885 )
          The information shared is "personal information" not "medical information", though status as a smoker or pregnant could fall under both. HIPAA doesn't apply to the government anyway. And, unless it's changed since the last time I looked, the "p" had been enforced, but never the "a". People have been fined for not releasing information, but never fined for releasing too much to the wrong people. The real point of the law was that doctors would hold prescriptions and diagnoses hostage, demanding extortion
          • Nearly everything you've stated is false and contradicts the plain wording of the statute. You're actually giving out "legal opinions"?

            >The information shared is "personal information" not "medical information"

            Please review the elements of IIHI at Section 164.514(b)(2)(i) and that IIHI is a subset of PHI at Section 160.103(1) and (2).

            > HIPAA doesn't apply to the government anyway

            Then why does IHS have to comply? Why does the NIH bother with it at all when they interface with non-government organizatio

            • by AK Marc ( 707885 )

              Nearly everything you've stated is false and contradicts the plain wording of the statute.

              How many fines have been given out for not releasing information

              How many have been given out for releasing too much information to the wrong people?

              Those two questions answer the question of what it was for and how it was used.

      • by Ksevio ( 865461 )
        Despite its name, healthcare.gov does not handle medical data so it can't violate HIPAA laws.

        Still, it should not be doing it.
        • The article states that information shared could include pregnancy status (clearly protected health information) and smoking status (most likely PHI).

          • by Ksevio ( 865461 )
            But just because something is medically related, doesn't mean it's protected by HIPAA. Target knowing a customer is pregnant isn't required to protect that information. For healthcare.gov, this article states it does not need to comply.
              • That may be, but by the very black and white wording of the law itself, the site is acting in a business associate capacity on behalf of health insurance companies.
                Despite what is being reported -- "HHS says it isn't covered uhcuz it doesn't wanna be" -- it is, indeed, covered by HIPAA.

                I have been quoting section references to you in an earlier reply but it might be better if you read a summary:
                http://www.hhs.gov/ocr/privacy... [hhs.gov]

                The problem for the website is that by HHS definitions, it is handling PHI (remem

                • Additionally, doesn't appear that HHS has definitively said it is not covered by HIPAA. The article Ksevio linked to is specific to covered entity liability under HIPAA. It mentions nothing about the potential for healthcare.gov to be a business associate (presumably of the various insurance companies it works with).

                  There are a couple of ways to be classified as a business associate, the pertinent way in this case being the creation, reception, maintenance, or transmission of PHI on behalf of a covered en

        • Check Section 164.514(b)(2)(i) for the identifiers. Remember, IIHI is literally defined as a "subset" of PHI (see Section 160.103). That means disclosing, say, a name alone is a breach of HIPAA in a healthcare context (and shopping for medical insurance is, and it is very much covered by HIPAA).

          Data doesn't need to be medical in nature, it needs to be related to healthcare. Your personal data qualifies in this context, I can absolutely assure you.

    • by DarkOx ( 621550 ) on Wednesday January 21, 2015 @08:36AM (#48864391) Journal

      Why are you surprised the entire 'Affordable' care is really just a pile of giveaways to certain monied interests.

      I mean come on the left the private insurance industry in place, while all but forcing the public to buy their product. The left them with the ability to set rates. The only real encouragement for them not gouge, is fear of political back lash AND essentially a government grantee that if they do somehow lose money they will be make whole.

      There essentially no controls on the medical tort industry in it.
      Nothing was done manage increasing drug costs
      The medial device tax, the like one thing that industry might not like, is suspended.
      Piles of money were spent hiring the incompetent to build the exchange.

      The entire thing is theft all the way up and down.

    • Re:Wow... Just "no". (Score:4, Interesting)

      by jellomizer ( 103300 ) on Wednesday January 21, 2015 @08:39AM (#48864401)

      Give me a H
      Give me an I
      Give me a P
      Give me an A
      Give me an A

      What does that spell HIPAA
      What does that mean! The government should fine itself!

      I think if the government needs to fine itself, they should refund the money back to the tax payers for services failed to render.

      • Here's a Ycombinator discussion on this very thing...

        https://news.ycombinator.com/i... [ycombinator.com]

      • I think if the government needs to fine itself, they should refund the money back to the tax payers for services failed to render.

        Laws are for other people. When the government does it, it's different. If you think this is bad, just wait until they nationalize the internet under the guise of "net neutrality".

      • by budgenator ( 254554 ) on Wednesday January 21, 2015 @09:05AM (#48864549) Journal

        They sent the info to 14 different companies,
        HIPAA violation is due to willful neglect and is not corrected, Minimum Penalty, $50,000 per violation, with an annual maximum of $1.5 million; Maximum Penalty, $50,000 per violation, with an annual maximum of $1.5 million;
        is a $1.5M fine going to phase either the USG or that rogue's gallery of internet advertiser's? We probably spend more than $22.5M on brake pads for fighter jets each year.

        • per violation. 1.5 million bucks times however many people are signed up through the website.
          • IANAL but I think that pesky coma between "violation" and "with an annual maximum of $1.5 million" stops the per violation part and start the annual maximum part without regard to the number of violations.

    • by BarbaraHudson ( 3785311 ) <barbara.jane.hud ... minus physicist> on Wednesday January 21, 2015 @08:49AM (#48864475) Journal

      In what universe does a government website selling personal info to advertisers count as even remotely fucking acceptable??? This doesn't "raise significant privacy concerns", it sends a great big middle finger to the American public from its own elected officials. I don't care about the "potential" for misuse - I care that someone even considered the possibility of using healthcare.gov to siphon off PII. Uncle Sam needs to retire.

      There is zero evidence that this data is being used for advertising purposes - the article makes a lot of speculation. For example:

      to private companies that specialize in advertising and analyzing Internet data for performance and marketing,

      For example, IBM does both - but they also do pretty good data analysis. Would you rather it goes to some 3rd-world country for analysis (because you can be pretty sure it will be sold)?

      Now, I'm not saying there's nothing to see here - but is it just fog that will dissipate in the morning sun or smoke that indicates a fire? Can't tell from the article, because it's almost al speculation and what-ifs.

      • Re: (Score:3, Insightful)

        by mrchaotica ( 681592 ) *

        There is zero evidence that this data is being used for advertising purposes - the article makes a lot of speculation.

        Bullshit. The fact that the information gets sent at all is prima facie evidence that it's being abused. The burden of proof is on the government to justify it.

        • Bullshit. The fact that the information gets sent at all is prima facie evidence that it's being abused. The burden of proof is on the government to justify it.

          Bullshit, the fact that you were arrested by police and prosecuted by the DA is prima facie evidence that you are not innocent. The burden of proof is on you to justify yourself.

          You can't change what "evidence" means because it suits your ideological goals.

          • Your argument fails because it assumes that individuals and government are somehow equivalent. They are not. In fact, quite the opposite: the burden of proof lies always lies with the government precisely because it is a government, and not an individual!

            People are always innocent until proven guilty.

            Government is always guilty until proven innocent.

            • No, my argument is that you cannot change the meaning of evidence. Police may stop you because of evidence, but police stopping you is not evidence.

              You are correct that the analogy doesn't run through, but it doesn't need to. It does show that "evidence" has a meaning that the GP tried to subvert to make an ideological point.

              If I had argued that the government doesn't need to show you shit, then you'd be right, but I'd never argue that. The government should demonstrate that such action is being prevente

      • frankly it doesnt matter WHAT they do with the data, HIPPA says they cant share any of it
        • by Holi ( 250190 )
          Except Healthcare.gov doesn't actually handle any medical information. It's a website for purchasing a health plan, not for getting actual health care. No medical information no HIPPA violation. Still a really shitty thing, but probably not illegal.
          • See my earlier comments, but this is most definitely false.

            The issue is that HHS boxed themselves in by the way they defined business associates and medical information. This is not a case of "HIPAA only applies to providers like hospitals" (which was the case prior to 2009). Giving even a name to an insurance company after facilitating shopping for medical insurance qualifies the entity or party as a business associate, and that data -- even though it's not "I have a cold" or whatever -- is still legally d

      • It's adorable that you have so much faith in the government that they wouldn't sell that data outright or you know allow it for some type of kickback.
        • It's not a question of faith in the government so much as wanting to see some substance instead of if rumor and speculation.
      • There is zero evidence that this data is being used for advertising purposes - the article makes a lot of speculation. For example:

        I disagree. The evidence is that the data is being sent to them. Nothing more needs to be proven. There is no -- as in zero -- legitimate reason for the site to be doing this. All performance analysis they need can be done in-house.

        For example, IBM does both - but they also do pretty good data analysis. Would you rather it goes to some 3rd-world country for analysis (because you can be pretty sure it will be sold)?

        I honestly don't see any difference between the two scenarios. I have no reason to think that domestic ad companies are any more trustworthy than 3rd world country companies (and I have several reasons to think that they're not). I'm pretty sure it will be sold either way.

        • All performance analysis they need can be done in-house.

          Obviously history disagrees with you - they couldn't even keep the site running properly for how long again ??? I'd look at the companies involved at implementing the site taking this as a cheap and easy way to do analytics (and maybe a few back-room deals as well) rather than a policy of the government.

    • In what universe does a government website selling personal info to advertisers count as even remotely fucking acceptable???

      Probably the universe where a bunch of assholes insist that the federal government not use in-house personnel to build this website, and instead outsource it to the lowest bidder... who is lowest because they valued and counted on this additional revenue stream?

      Uncle Sam needs to retire.

      Uncle Sam needs to get his ass off the bench, and stop outsourcing all it's functionality to private

    • Comment removed based on user account deletion
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Wednesday January 21, 2015 @08:51AM (#48864491)
    Comment removed based on user account deletion
  • by Enry ( 630 ) <enry@@@wayga...net> on Wednesday January 21, 2015 @09:30AM (#48864745) Journal

    The example that the EFF gave listed general information about a person, but there's nothing that would directly identify the person. No SSN, no address, no name.

    Yes, doubleclick and others could use that with other information they already have and determine with some probability who the person is. But that's a separate discussion on expanding what PII is or limiting what kind of data can be stored about a person, either of which I'd be in favor of.

    • It sounds like you're using the ad industry's definition of "PII". That definition is ludicrous. The bulk of information that can be used to identify me personally falls outside of the standard definition of "PII", and so the term "PII" is pretty much devoid of meaning.

      • by Enry ( 630 )

        Yes and no. In a practical sense you're right and I said as much in the second paragraph. As for the legal definition of PII [wikipedia.org]:

        NIST Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to

  • I haven't completed it, but maybe I should just to pollute the database. Is that a crime? I could say I'm tall, healthy, young Asian Latino woman? That would probably go too far, but at least this is data I can control better than the data the credit card companies dole out on my purchases. People are always thinking "invisibility" when nature prefers "camouflage".
  • Random referral requests and thus pollute the collected data?
  • They couldn't identify me, so experian sent me a credit application to fill out. Its really pathetic that they can't use information the government already has. Instead they rely on some private company who only cares about the bottom line. Its our governments perverse need to reduce public systems in favor of inefficient and incompetent private models. They get paid even when they do a bad job. So what you really have here is some private company using data it gathered. I would bet it was in their c

  • Serious question. HIPPA is very strict. Or so I'm given to understand, not having done a deep dive into the details. How can they do this without violating HIPPA?

    • by dAzED1 ( 33635 )
      they can't, but the fine has a max penalty per year, and that max would just be the fed paying itself a number at which it wouldn't blink even if it wasn't paying itself. Just because something is illegal, doesn't mean it won't happen - if the only penalty for underage drinking was you had to have sex with Scarlet Johansen, do you think that would work as much of a deterrent? We don't live in a world where society can decide it doesn't accept a certain behavior, and then just expect everyone to not do it
    • IANAL, but I am generally familiar with HIPPA. This is probably not a HIPPA violation because the HIPPA rules only apply to specific sorts of businesses, and the healthcare.gov site is not one of them. For instance, I could share any medical details I had on you as much as I want without violating HIPPA laws.

  • Visiting just the healthcare.gov web site via Firefox generates the following URL requests: http://pastebin.com/0UUbmRCf [pastebin.com]

    At least all those advert and tracker sites - including those that have been helping pay for malware for over a decade - are using SSL!

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...