Governance & Risk Management , Next-Generation Technologies & Secure Development , Privacy
HealthCare.gov Makes Privacy Fixes
Facing Criticism, HHS Addresses Third-Party Tracking WorriesAfter heavy criticism from privacy watchdogs, the Department of Health and Human Services has made a number of fixes to the HealthCare.gov website for Obamacare to scale back the release of consumer data to third-party commercial sites.
See Also: OnDemand | Understanding Privacy Issues with Generative AI
In a statement issued on Jan. 24, Kevin Counihan, who serves as CEO for the HealthCare.gov marketplace at HHS' Centers for Medicare and Medicaid Services, acknowledged that questions were raised last week about HHS' relationship with a variety of third-party companies, HealthCare.gov's privacy policies, and the technical way the site was constructing Web page addresses, or URLs.
"We take these questions seriously, and immediately launched a review of our privacy policies, contracts for third-party tools and URL construction," Counihan said. "We are looking at whether there are additional steps we should take to improve our efforts. While this process is ongoing, we have taken action that we believe helps further increase consumer privacy."
He explained in the statement that as CMS prepared for 2015 open enrollment, "we focused on what we could do to improve the consumer experience. Based on this learning, we use some third-party tools to do important things, like to get visibility into when consumers are having difficulty, or understand when website traffic is building during busy periods. We also educate those who are uninsured about the importance of health coverage, the role of the marketplace, and the financial assistance available to marketplace consumers. One of the most cost-effective and best ways to reach the uninsured is through digital media and advertising. To do this well, we have contracts with companies that help us to connect interested consumers to HealthCare.gov and continuously measure and improve site performance and our outreach efforts."
Counihan said that among the changes made in response to the criticism is "adding a layer of encryption that reduces the information available to the third-party tools we use from our URLs. We will continue this review and take any concerns raised about privacy seriously and will work to address them head on."
'Great First Step'
Cooper Quintin, staff technologist at Electronic Frontier Foundation, a civil liberties and privacy advocacy group, tells Information Security Media Group: "HealthCare.gov appears to have stopped sending personal health information to third parties via referrers and URL parameters, which is a great first step."
Last week, the foundation independently tested the HealthCare.gov site, confirming an Associated Press report that the Obamacare website was sending consumers' personal data to third-party commercial sites.
The foundation reported that its testing last week found that the HealthCare.gov site was sending personal health information - including ZIP code, income level, smoking status, pregnancy status and more - to at least 14 third-party domains, even if the user has enabled "do not track."
The advocacy group found that the information was sent via the referrer header, which contains the URL of the page requesting a third-party resource, Quintin says. "The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the Web. The referrer header lets the requested resource know what URL the request came from. This would, for example, let a website know who else was linking to their pages. In this case, however, the referrer URL contains personal health information," he says.
However, in response to the public criticism, "it appears that HealthCare.gov is already taking steps to fix the worst information leaks on their site - though we would like to see them take further measures," Quintin tells ISMG.
"A harder thing to fix, which we think is probably nonetheless important, is the fact that many of HealthCare.gov's third-party service providers will record the fact that one of their cookie IDs is using HealthCare.gov in the first place, which is itself a potentially sensitive fact about a person," he says. "At a minimum, HealthCare.gov should disable third-party trackers for any user that requests an opt-out. Arguably, HealthCare.gov should meet good privacy standards for all its users."
Most of the third-party trackers that were embedded in the HealthCare.gov site appeared to be designed for use in analytics, Quintin says. "These are used by Web developers to monitor how people are interacting with a website so that the developers can make improvements to make the browsing experience more pleasant. While this is a 'legitimate' use, it needs to be done in a way that doesn't sacrifice user privacy; especially where personal health information is concerned," he says.
HHS did not respond to an ISMG request for additional comment beyond the statement from Counihan.
A Common Issue for Websites
Like HealthCare.gov, a wide variety of other websites have third-party tracking enabled.
"These kinds of third-party problems are common across most websites, unfortunately," Quintin says. "The problem is that currently, the predominant business model of the Web is tracking peoples' reading habits and displaying advertisements based on that. This is a huge, daily invasion of privacy and has got to change."
Mac McMillan, CEO of the security consulting firm CynergisTek, notes: "What the government is doing here [with HealthCare.gov] is not out of the ordinary. Measuring performance and consumer experience is standard with Web-based services/platforms. Many sites do this, particularly retail consumer sites, and individuals should be aware and make decisions as to whether or not they are comfortable with these practices and those sites and any controls for opting out or blocking this activity.
McMillan contends there aren't any good reasons why HealthCare.gov should be sending personal data to third parties without consumer knowledge or consent. "Interestingly, the HealthCare.gov privacy policy does provide insight into their interaction with other sites, such as Google, Facebook, etc. and the fact that, depending on actions of the individual, certain personally identifiable information (PII) may be made available to those sites," he notes.
Deborah Peel, M.D., founder of Patient Privacy Rights, a privacy advocacy group, tells ISMG, "I'm really glad to see this issue is resurfacing. It's unconscionable to allow multiple trackers to collect and sell information about people seeking health insurance. Of course the government needs analytics to understand who is using the site. But surely they could run analytics using vendors that do not sell and trade our personal information."
So what steps can consumers do to better protect their privacy on HealthCare.gov and other websites? "Read the privacy policy closely," McMillan says. "Become educated about the system and what it is doing, your rights, and your ability to exercise those rights. I agree there should be an opt-out process that blocks third-party tracking, and consumers should exercise their right to use it."
Additionally, the Electronic Frontier Foundation's Quintin suggests consumers install ad blocker software, which "will stop most of the third-party trackers present on HealthCare.gov and other websites, protecting the users privacy from non-consensual third-party trackers across the Web."