By Cooper Quintin, Electronic Frontier Foundation:
Healthcare.gov–the flagship site of the Affordable Care Act, where millions of Americans have signed up to receive health care–is quietly sending personal health information to a number of third party websites, the Associated Press reported. The information being sent includes one’s zip code, income level, smoking status, pregnancy status and more.
EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track.
The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.
In some cases the information is also sent embedded in the request string itself, like so:
https://4037109.fls.doubleclick.net/activityi;src=4037109;
type=20142003;cat=201420;ord=7917385912018;~oref=https://www.
healthcare.gov/see-plans/85601/results/?county=04019&age=40& smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000& &step=4?
In the above example, a URL at doubleclick.net is requested by your browser. Appended to the end of this URL is your age, smoking status, preganacy status, parental status, zip code, state and annual income. This URL is requested by your browser after you fill out the required information on healthcare.gov and click the button to view health insurance plans that you are eligible for.
The following is a table showing which third party domains EFF researchers confirmed were receiving the private health data.
Domain | PII in referrer | PII in request |
Akamai.net | ✓ | |
Chartbeat.net | ✓ | ✓ |
Clicktale.net | ✓ | |
Doubleclick.net | ✓ | ✓ |
Google.com | ✓ | ✓ |
Mathtag.com | ✓ | |
Mixpanel.com | ✓ | |
Nrd-data.net | ✓ | |
Optimizely.com | ✓ | ✓ |
Reson8.com | ✓ | |
Rfihub.com | ✓ | |
Twitter.com | ✓ | |
Yahoo.com | ✓ | |
Youtube.com | ✓ |
Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are.
It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker. Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman’s family that she was pregnant before she even told them.
It’s especially troubling that the U.S. government is sending personal information to commercial companies on a website that’s touted as the place for people to obtain health care coverage.
Even more troubling is the potential for companies like Doubleclick, Google, Twitter, Yahoo, and others to associate this data with a person’s actual identity. Google, thanks to real name policies, certainly has information uniquely identifying someone using Google services. If a real identity is linked to the information received from healthcare.gov it would be a massive violation of privacy for users of the site.
Third-party resources could also introduce additional security risks to the healthcare.gov website, with each included third-party resource increasing the attack surface of the site. If an attacker were able to compromise just one of the third party resources included on healthcare.gov they could potentially compromise the accounts of every user of healthcare.gov. The attacker could then sell the Private Health Information or hold it for ransom.
For now, EFF recommends installing software that will block third party tracking, such as EFF’s own Privacy Badger. Privacy badger will block the referrers and the connections to third party sites on healthcare.gov and protect your personal health information.
Health information is some of the most sensitive and personal information there is. People’s private medical data should not be available to third party companies without consent from the user. This practice is negligent at best, and potentially devastating for consumers. At a miminum, healthcare.gov should disable third-party trackers for any user that requests an opt out using the DNT header. Arguably, healthcare.gov should meet good privacy standards for all its users.
If President Obama is really concerned about cybersecurity, he may want to start in his own backyard, by securing healthcare.gov. By Cooper Quintin, Electronic Frontier Foundation
“We’re unwrapping the best holiday gift we could’ve imagined,” Google gushed. Automakers beg to differ. You’re not even asked. Read… Fight Breaks Out Over Your Absolutely-No-Privacy-Ever Car
Enjoy reading WOLF STREET and want to support it? You can donate. I appreciate it immensely. Click on the beer and iced-tea mug to find out how:
Would you like to be notified via email when WOLF STREET publishes a new article? Sign up here.
Well duh. One can’t have a proper totalitarian state if you leave people with a shred of human dignity. I heard one of Obama’s apparatchiks going on and on about cloud computing on a local show on a Sunday in D.C. a full two years before it exploded fully grown on the tech scene. Even geeks I asked about it had no idea what the term referred to. Make no mistake boys and girls this ‘clumsiness’ surrounding Healthcare.com is camoflouge. They know EXACTLY what they’re doing.
.communist, that is
Well, the refererheader is a major privacy leak for most browsers but you can turn it off. Most people are oblivious to the fact that when they click a link the destination website knows where you’re coming from. Thus if they combine this with time and geographic info they can track you.
I’ve shut it off for years and have had only one problem over that time (a quirky website).
For Firefox the fix is quick and easy. These changes will persist and you can always change it back.
type about:config
into the standard input in the browser for URLS (i.e where you type http://www.google.com)
toggle down to
” network.http.sendRefererHeader” which by default is set to 2. Change the value on the right from two to zero.
close the window
Now when you click a link the destination website should receive no info on where you came from.
As our host may have guessed, I’m big into privacy.
Could also be a massive HIPAA violation to send or receive personal medical information, with liability in the billions.
Hi from Oz. Here in Australia it was revealed several years ago that the software most commonly used by private Medical practitioners sent “de-identified” data such as this to drug companies, in return for a fee to the software company. Nice little earner, I bet, but perfectly legal under our “privacy” laws, because it was “de-identified”! I thought at the time if the government had a clue they would have paid the fee and collected all this lovely data to help improve our healthcare, but no such luck -it seems they would rather line the pockets of big pharma.