Healthcare exchanges in New England shared users' sensitive health data with companies like Google
The exchange websites ask users to answer a series of questions, including about their health histories, to find them the most relevant information on plans. But in some cases, when visitors responded to sensitive questions, the invisible trackers sent that information to platforms like Google,
Advertisement
The Markup and CalMatters audited the websites of all 19 states that independently operate their own online health exchange. While most of the sites contained advertising trackers of some kind, The Markup and CalMatters found that four states exposed visitors' sensitive health information.
Nevada's exchange, Nevada Health Link, asks visitors about what prescriptions they use, including the names and dosages of the drugs, to help them find their best options for health insurance. When visitors start typing, it suggests specific medications, including antidepressants, birth control and hormone therapies.
As visitors answered the questions, their responses were sent to LinkedIn and Snapchat, according to tests conducted by The Markup and CalMatters in April and May.
When an individual indicated that they took Fluoxetine, commonly known as Prozac, on Nevada Health Link, the information was sent to LinkedIn.
The Markup/CalMatters
On the other side of the country, Maine's exchange, CoverME.gov, sent information on drug prescriptions and dosages to Google through an analytics tool. It also sent the names of doctors and hospitals that people had previously visited.
Advertisement
Rhode Island's exchange, HealthSource RI, sent prescription information, dosages, and doctors' names to Google.
Massachusetts Health Connector, another exchange, told LinkedIn whether visitors said they were pregnant, blind, or disabled.
After being contacted by The Markup and CalMatters, Nevada's health exchange stopped sending visitors' data to Snapchat and Massachusetts stopped sending data to LinkedIn. Additionally, The Markup and CalMatters found that Nevada stopped sending data to LinkedIn in early May, as we were testing.
The Markup and CalMatters discovered the sharing after finding that California's exchange, Covered California,
Experts said state health exchanges' use of advertising trackers was troubling if not entirely surprising. Such tools can help organizations to reach visitors and tailor ads for them. Google Analytics allows website operators to better understand who is coming to their site and to optimize ad campaigns. The LinkedIn and Snap trackers, like a similar offering from Meta, help companies target their social media ads.
Nevada uses the trackers to help target marketing at uninsured residents, according to Russell Cook, Executive Director of the state agency that operates Nevada's exchange, Silver State Health Insurance Exchange.
But health care services need to be especially careful with those tools, said John Haskell, a data privacy attorney who has previously worked as an investigator for the Department of Health and Human Services.
'It doesn't surprise me that organizations that have these massive tech stacks that rely on third party-resources don't have a full understanding of what the configuration is, what the data flows are, and then once they go to somebody, what that data is being used for,' Haskell said. 'It's something that needs to be addressed.'
Advertisement
How was state exchange data tied to users' identities?
After
The Markup and CalMatters then examined websites operated by 18 states other than California, as well as Washington, D.C., to see what information they shared as users navigated them. The sites were established under the Affordable Care Act, which requires states to offer health insurance either through their own exchanges or one operated by the federal government.
To test them, we first ran the sites through
The results showed that 18 used some sort of tracker. Some were filled with them. Nevada, for example, used nearly 50. By contrast, Blacklight found no tracker of any kind on Washington, D.C.'s exchange. Popular websites use on average seven trackers, according to
Many of the sites used trackers in relatively innocuous ways, like counting page views.
The four exchanges we found sharing sensitive health data sent varied responses to questions about the tracking.
Advertisement
Cook said in a statement that trackers placed by his Nevada agency were 'inadvertently obtaining information regarding the name and dosage of prescription drugs' and sending it to LinkedIn and Snapchat.
Cook acknowledged such data was 'wholly irrelevant to our marketing efforts' and said it had disabled tracking software pending an audit.
Jason Lefferts, a spokesperson for Massachusetts Health Connector, said in a statement that 'personally identifiable information is not part of the tool's structure and no personally identifiable information, not even the IP addresses of users of the tool, has ever been shared with any party in any way via this tool.' But LinkedIn's
Spokespeople for the Rhode Island and Maine health exchanges said that they pay a vendor, Consumers' Checkbook, to run a separate site that allows visitors to explore what plans are available to them through their states' exchanges. It was from these sites that sensitive information was shared to Google. Consumers' Checkbook's sites are at different web addresses than the exchange sites, but are prominently linked to on the exchange sites and display identical branding like the state health exchange's logo, making it unlikely that an average visitor would realize they were no longer on a state-run domain.
Christina Spaight O'Reilly, a spokesperson for HealthSource RI, said the company uses Google Analytics to study trends but not to serve ads, and 'disables Google Signals Data Collection, ensuring that no data is shared with Google Ads for audience creation or ad personalization, and no session data is linked to Google's advertising cookies or identifiers.' HealthSource RI's terms of use mention the use of Google Analytics, she noted. A spokesperson for CoverME.gov made similar points, saying that the agency 'does not collect or retain any data entered into the tool.'
Advertisement
When an individual selected a doctor on HealthSource RI, the doctor's name was sent to Google Analytics.
The Markup/CalMatters
Consumers' Checkbook declined to comment beyond the exchanges' statements.
All of the exchanges said that individually identifiable health information, like names and addresses, wasn't sent to third parties. But the point of the trackers is to enhance information sent about a user with data the platforms already have on that user, and every tracker found by The Markup and CalMatters logged details about individual visitors, such as their operating system, browser, device, and times of visit.
In response to requests for comment, the tech companies whose trackers we examined uniformly said they do not want organizations sending them potentially sensitive health data, and that doing so is against their terms of use.
Steve Ganem, Director of Product Management for Google Analytics, said that 'by default any data sent to Google Analytics does not identify individuals, and we have strict policies against collecting Private Health Information or advertising based on sensitive information.' A spokesperson for LinkedIn, Brionna Ruff, said that advertisers are not allowed 'to target ads based on sensitive data categories,' such as health issues. A spokesperson for Snapchat owner Snap said the same, noting that sending purchases of supplies like prescriptions would run afoul of the company's rules about sensitive data.
Advertisement
'It is important to ensure that your implementation of Google Analytics and the data collected about visitors to your properties satisfies all applicable legal requirements,' the page reads.
More incidents
State exchanges aren't the only health sites that have sent medical information to social media companies.
In 2022,
In 2023, a New York hospital agreed to pay a $300,000 fine for violations of the Health Insurance Portability and Accountability Act, or HIPAA.
In response to a series of incidents, the
Some plaintiffs have used state laws, like those in California, to argue that they should be compensated for having their health data sent to third parties without consent. Others have argued that this kind of tracking runs afoul of
'Organizations aren't investing enough time and resources into properly vetting everything,' said Haskell, who advises clients to be very careful about the information they track on their sites. 'When organizations are saying, 'we didn't understand that there's a certain configuration of this tool that we're using,' well, I can't really
not
put that on you.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Hamilton Spectator
3 hours ago
- Hamilton Spectator
How Peel families can help police find a vulnerable loved one who goes missing
When a person with a cognitive condition goes missing, every minute counts. Peel Regional Police's Vulnerable Persons Registry is a voluntary database that lets families share key information about loved ones with dementia, autism or other cognitive conditions. The goal is to help police respond more quickly and safely during emergencies — especially when someone goes missing or has trouble communicating. Families can register a vulnerable person by completing an online form on the Peel police website . A verification process is in place to confirm that the individual submitting the information has the legal authority to do so. Questions about the registry can be directed to regional police by email. Caregivers registering someone in the database are asked to provide details such as the person's physical description, medical diagnosis, communication methods, behavioural tendencies and any life-sustaining medications. Families can also include known routines, locations the person may visit and strategies that help calm or redirect them during distress. Two recent photos are required, along with the name and contact information of the registrant and any additional support person. The information is stored confidentially and is intended for use by police during emergencies. Anyone with legal authority — such as a parent, guardian or power of attorney — can register a person who lives in or regularly visits Brampton or Mississauga. Information must be renewed annually for those under 18, and every two years for adults. Peel police send a reminder email approximately two months before the renewal deadline. The registry was briefly discussed during a June 12 Peel Regional Council meeting. Following a mid-year update presentation from Peel Regional Police, Mississauga Ward 9 Coun. Martin Reid mentioned two recent cases in his neighbourhood that demonstrated the potential effectiveness of the registry — in one case, a person registered in the system was located within minutes, while another, who was not, took hours to find. Error! Sorry, there was an error processing your request. There was a problem with the recaptcha. Please try again. You may unsubscribe at any time. By signing up, you agree to our terms of use and privacy policy . This site is protected by reCAPTCHA and the Google privacy policy and terms of service apply. Want more of the latest from us? Sign up for more at our newsletter page .
USA Today
4 hours ago
- USA Today
Why are these health-care websites sharing sensitive info with LinkedIn and Snapchat?
Why are these health-care websites sharing sensitive info with LinkedIn and Snapchat? This story was originally published by The Markup, now a part of CalMatters. Sign up for their health care websites around the country, meant to provide a simple way to shop for insurance, have been quietly sending visitors' sensitive health information to Google and social media companies, The Markup and CalMatters found. The data, including prescription drug names and dosages, was sent by web trackers on state exchanges set up under the Affordable Care Act to help Americans purchase health coverage. The exchange websites ask users to answer a series of questions, including about their health histories, to find them the most relevant information on plans. But in some cases, when visitors responded to sensitive questions, the invisible trackers sent that information to platforms like Google, LinkedIn, and Snapchat. The Markup and CalMatters audited the websites of all 19 states that independently operate their own online health exchange. While most of the sites contained advertising trackers of some kind, The Markup and CalMatters found that four states exposed visitors' sensitive health exchange, Nevada Health Link, asks visitors about what prescriptions they use, including the names and dosages of the drugs, to help them find their best options for health insurance. When visitors start typing, it suggests specific medications, including antidepressants, birth control and hormone therapies. As visitors answered the questions, their responses were sent to LinkedIn and Snapchat, according to tests conducted by The Markup and CalMatters in April and May. Spend your money smart: Sign up for USA TODAY's Daily Money newsletter. On the other side of the country, Maine's exchange, sent information on drug prescriptions and dosages to Google through an analytics tool. It also sent the names of doctors and hospitals that people had previously visited. Rhode Island's exchange, HealthSource RI, sent prescription information, dosages, and doctors' names to Google. Massachusetts Health Connector, another exchange, told LinkedIn whether visitors said they were pregnant, blind, or disabled. After being contacted by The Markup and CalMatters, Nevada's health exchange stopped sending visitors' data to Snapchat and Massachusetts stopped sending data to LinkedIn. Additionally, The Markup and CalMatters found that Nevada stopped sending data to LinkedIn in early May, as testing was happening. The Markup and CalMatters discovered the sharing after finding that California's exchange, Covered California, told LinkedIn when a visitor indicated they were blind, pregnant, or a victim of domestic violence. Experts said state health exchanges' use of advertising trackers was troubling if not entirely surprising. Such tools can help organizations to reach visitors and tailor ads for them. Google Analytics allows website operators to better understand who is coming to their site and to optimize ad campaigns. The LinkedIn and Snap trackers, like a similar offering from Meta, help companies target their social media ads. Nevada uses the trackers to help target marketing at uninsured residents, according to Russell Cook, Executive Director of the state agency that operates Nevada's exchange, Silver State Health Insurance Exchange. But health care services need to be especially careful with those tools, said John Haskell, a data privacy attorney who has previously worked as an investigator for the Department of Health and Human Services. 'It doesn't surprise me that organizations that have these massive tech stacks that rely on third party-resources don't have a full understanding of what the configuration is, what the data flows are, and then once they go to somebody, what that data is being used for,' Haskell said. 'It's something that needs to be addressed.' How was state exchange data tied to users' identities? After The Markup and CalMatters reported on Covered California's sharing of health data with LinkedIn, the exchange removed its trackers and said it would review its data practices. The news triggered a class-action lawsuit and questions from federal lawmakers. The Markup and CalMatters then examined websites operated by 18 states other than California, as well as Washington, D.C., to see what information they shared as users navigated them. The sites were established under the Affordable Care Act, which requires states to offer health insurance either through their own exchanges or one operated by the federal government. To test them, The Markup and CalMatters first ran the sites through Blacklight, a tool we developed to reveal web trackers. We then reviewed network traffic on the sites to see what data the trackers received when visitors filled out forms. The results showed that 18 used some sort of tracker. Some were filled with them. Nevada, for example, used nearly 50. By contrast, Blacklight found no tracker of any kind on Washington, D.C.'s exchange. Popular websites use on average seven trackers, according to Blacklight scans of the 100,000 most trafficked sites on the web. Many of the sites used trackers in relatively innocuous ways, like counting page views. The four exchanges The Markup and CalMatters found sharing sensitive health data sent varied responses to questions about the tracking. Cook said in a statement that trackers placed by his Nevada agency were 'inadvertently obtaining information regarding the name and dosage of prescription drugs' and sending it to LinkedIn and Snapchat. Cook acknowledged such data was 'wholly irrelevant to our marketing efforts' and said it had disabled tracking software pending an audit. Jason Lefferts, a spokesperson for Massachusetts Health Connector, said in a statement that 'personally identifiable information is not part of the tool's structure and no personally identifiable information, not even the IP addresses of users of the tool, has ever been shared with any party in any way via this tool." But LinkedIn's tracker documentation makes clear that it correlates the information it receives with specific LinkedIn accounts so companies can use the data for features like retargeting website visitors. The company's documentation also states it later obscures this information and eventually deletes it. Spokespeople for the Rhode Island and Maine health exchanges said that they pay a vendor, Consumers' Checkbook, to run a separate site that allows visitors to explore what plans are available to them through their states' exchanges. It was from these sites that sensitive information was shared to Google. Consumers' Checkbook's sites are at different web addresses than the exchange sites, but are prominently linked to on the exchange sites and display identical branding like the state health exchange's logo, making it unlikely that an average visitor would realize they were no longer on a state-run domain. Christina Spaight O'Reilly, a spokesperson for HealthSource RI, said the company uses Google Analytics to study trends but not to serve ads, and 'disables Google Signals Data Collection, ensuring that no data is shared with Google Ads for audience creation or ad personalization, and no session data is linked to Google's advertising cookies or identifiers.' HealthSource RI's terms of use mention the use of Google Analytics, she noted. A spokesperson for made similar points, saying that the agency 'does not collect or retain any data entered into the tool.' Consumers' Checkbook declined to comment beyond the exchanges' statements. All of the exchanges said that individually identifiable health information, like names and addresses, wasn't sent to third parties. But the point of the trackers is to enhance information sent about a user with data the platforms already have on that user, and every tracker found by The Markup and CalMatters logged details about individual visitors, such as their operating system, browser, device, and times of visit. In response to requests for comment, the tech companies whose trackers were examined uniformly said they do not want organizations sending them potentially sensitive health data, and that doing so is against their terms of use. Steve Ganem, Director of Product Management for Google Analytics, said that 'by default any data sent to Google Analytics does not identify individuals, and we have strict policies against collecting Private Health Information or advertising based on sensitive information.' A spokesperson for LinkedIn, Brionna Ruff, said that advertisers are not allowed 'to target ads based on sensitive data categories,' such as health issues. A spokesperson for Snapchat owner Snap said the same, noting that sending purchases of supplies like prescriptions would run afoul of the company's rules about sensitive data. A Google Analytics information page specifically discusses how organizations that use the company's tools should comply with the Health Insurance Portability and Accountability Act, which protects health data. The page notes that 'Google makes no representations that Google Analytics satisfies HIPAA requirements.' 'It is important to ensure that your implementation of Google Analytics and the data collected about visitors to your properties satisfies all applicable legal requirements,' the page reads. More incidents State exchanges aren't the only health sites that have sent medical information to social media companies. In 2022, The Markup revealed that dozens of hospital websites shared information with Facebook's parent company, Meta, through a tool called the Meta Pixel. The hospitals faced scrutiny from Congress and legal action. Another Markup investigation found trackers logging information about online drugstore visitors purchasing HIV tests and Plan B. In 2023, a New York hospital agreed to pay a $300,000 fine for violations of the Health Insurance Portability and Accountability Act, or response to a series of incidents, the Department of Health and Human Services said in 2023 that use of social media trackers to log health information could violate HIPAA, although recent court decisions have narrowed how the law can be applied against companies that use those trackers. Some plaintiffs have used state laws, like those in California, to argue that they should be compensated for having their health data sent to third parties without consent. Others have argued that this kind of tracking runs afoul of wiretapping or even racketeering laws. 'Organizations aren't investing enough time and resources into properly vetting everything,' said Haskell, who advises clients to be very careful about the information they track on their sites. 'When organizations are saying, 'we didn't understand that there's a certain configuration of this tool that we're using,' well, I can't really not put that on you.'
Tom's Guide
7 hours ago
- Tom's Guide
Houseplants used to quake in their roots when they saw me coming, now I'm a plant mother thanks to this one trick
Like every other Millennial/Gen Z cuspie, I'm filling my apartment to the brim with houseplants. Monstera? Check. Spider plant? Check, check, check. Cactus? Check. Snake plant? Check. I've even got ferns. Every time I go to the garden center, I come back with a trunk full of brand-new plants. A few years ago, these plants would've quaked in their boots (roots, haha) when I approached them with a devilish grin and money to burn. But now, the plants see me coming and beg to be taken home. What was once a houseplant graveyard is now a houseplant grove. And my secret? Gemini. Yep. Google Gemini. Not that I have anything against ChatGPT, but I find that it's not the best AI app for houseplant advice. The best ChatGPT alternative for real-time plant info is Gemini. I'll tell you why. I've tried it all: tips on how to save dying plants, houseplant hacks that actually work. I even bought a house full of the best low-maintenance plants to stop me from murdering them all. And the best news? All those low-maintenance plants are still alive! Yay! I still want more plants, because too much is never enough when it comes to greenery in my apartment, but I'm focusing on keeping my current pets alive at the moment. I've followed expert guides on how to add greenery to my house, and I think I'm happy with my current setup. Appearance aside, houseplants can also provide a plethora of other health benefits. Plants can brighten up dark homes, which can help with feeling down in the winter. On top of that, plants have been found to reduce air pollution. Some houseplants can even ease stress! There are so many reasons why I think everyone should stuff every corner of their houses with plants. I've been trying for so many years to reach this level of houseplant-obsessed. Success — I can't go a day without babying my plants. Here's how I use Gemini to make sure they're all as healthy as possible. I'll show you exactly how I ask advice from Gemini. With the Google app, I open the camera on the right side of the search bar — Google Lens. It looks like this: When the camera is open, take a picture of your plant. Make sure you're on the "Search" option, not "Translate". From there, type your question into the search box. I found I got the best results from asking "What's wrong with my plant?" or "Is my plant healthy?" When I took a picture of my Alocasia, which suffered a minor car accident 6 months ago and had to have most of its leaves cut off, this is what Gemini said: This gave me some peace of mind. As I said, the Alocasia recently experienced some mild injuries, and I wasn't sure if it would pull through. Thankfully, with nurturing, consistent watering and misting, and its prime location near (but not directly in front of) the window, it is perfectly healthy again. I also asked Gemini what was wrong with my miniature Schefflera, which is still in the trenches. Here's what it said: Thanks to Gemini's advice, I have repotted the plant and am watering it more mindfully. As this happened literally yesterday, I can't tell you if it worked or didn't work yet, but I have faith. My favorite plant is my huge Monstera — it's literally the light of my life. As I always want to ensure it's happy and thriving, I decided to ask Gemini. I prompted "Is this plant healthy? If it's not, tell me what's wrong with it and how I can fix it". This is what Gemini said. As you can see, Gemini told me my plant is healthy and gave me some extra tips on how to maintain its health. You should always fact-check AI. You can't trust what any AI says completely. I always click on the source links (shown with the blue chain icon beside the text) and read through the article to make sure Gemini is telling me the truth. It's also good to visit the plant specialist's websites and see what else the experts have to say, as Gemini can't give you as much information as a real human specialist can. But AI can still help get you off on the right foot, that's for sure.
