This is pretty shocking. What is PII doing in the query string in the first place? Disclosing pregnancy status from an insurance application sounds like a possible HIPPA violation and runs afoul of various state laws around 'Insurance Information and Privacy Protection'. E.g <a href="http://www.leginfo.ca.gov/cgi-bin/displaycode?section=ins&group=00001-01000&file=791-791.29" rel="nofollow">http://www.leginfo.ca.gov/cgi-bin/displaycode?section=ins&gr...</a>. See Section 791.13(k). That's just CA law but many states followed with their own version. (IANAL)<p>I think the really big penalties come into play when medical information is 'personally identifiable'. Since this data is going to Google, Facebook, and Twitter (really?!) with 3rd party cookies, or even without, it would be hard to argue this data is not personally identifiable.<p>It's not like they didn't know they weren't sending this data out. Or perhaps the highly advanced debugging prowess of "Chrome Inspector" is beyond their pay grade.<p>Edit: Oh it's not even just Referral leak it's actually it the request in some cases, so blatantly intentional. :-(
<i>Spokesman Aaron Albright said outside vendors "are prohibited from using information from these tools on HealthCare.gov for their companies' purposes." The government uses them to measure the performance of HealthCare.gov so consumers get "a simpler, more streamlined and intuitive experience," he added.</i><p>It's one thing to send session length, general location, usage stuff like that to see where, for example, awareness campaigns might be needed. But really:<p><pre><code> smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000
</code></pre>
That's a bit much! And I suppose DoubleClick is carefully siloing this information so it doesn't accidentally perform all kinds of analysis on it for comparison with its other huge databases? Perhaps they are barred from selling it wholesale to data brokers but I can't imagine they are unable to use it for plenty of their own purposes.
Paging HN user brandonb and 'a bunch of other Google, Facebook, and Y Combinator alums' -- did this exist while you worked on the site?<p><pre><code> > I've been working on healthcare.gov for the last few months
</code></pre>
<a href="https://news.ycombinator.com/item?id=7312442" rel="nofollow">https://news.ycombinator.com/item?id=7312442</a>
Give $563M to Accenture and you get some really shoddy work <a href="http://www.healthcaredive.com/news/accenture-snags-new-5-year-healthcaregov-contract-for-563m/347935/" rel="nofollow">http://www.healthcaredive.com/news/accenture-snags-new-5-yea...</a>
An additional problem, as I see it, is that the Obama administration made unambiguous assurances that no PII was being collected as part of Healthcare.gov's use of web measurement tools. Here's the excerpt from the privacy policy:<p><i>HealthCare.gov uses a variety of Web measurement software tools. We use them to collect the information listed in the “Types of information collected” section above. The tools collect information automatically and continuously. No personally identifiable information is collected by these tools.</i> <a href="https://www.healthcare.gov/privacy/" rel="nofollow">https://www.healthcare.gov/privacy/</a><p>Note the last sentence is in bold on the actual web page.<p>A Department of Health and Human Services organ called the Centers for Medicare & Medicaid Services is responsible for the site. An enterprising HN reader might want to skim through the CMS (very long) privacy impact assessment to see if there are any other incorrect claims about Healthcare.gov:
<a href="http://www.hhs.gov/pia/cms-pia-summary-fy12q4.pdf" rel="nofollow">http://www.hhs.gov/pia/cms-pia-summary-fy12q4.pdf</a><p>It will be interesting to see if anyone gets fired as a result of this particular privacy screwup. The buck should stop <i>somewhere</i>, right?
Looks like a few of the tracking companies only just started to appear -<p><a href="http://builtwith.com/detailed/healthcare.gov" rel="nofollow">http://builtwith.com/detailed/healthcare.gov</a><p>The only non-ad tool they added was the Twitter Platform to their homepage. Lots of data leakage points though.
This is certainly scary stuff, but I was a bit annoyed with the line:<p>"...consequences such as when Target notified a woman's family that she was pregnant before she even told them. "<p>I've heard this story referenced time and again with respect to motivating people to care about privacy and tracking. I'm all for privacy, but I feel like: (a) we should have more recent anecdotes about the consequences of tracking than a story from 2012, (b) the mechanism that Target used to infer this is far less intrusive (not making it OK) than what we see here, and (c) its really not strong enough an example.<p>Not that speculation is the way to go, but what about the possibility of someone being turned down for life insurance due to this information?
They don't even get into the repercussions of loading externally-hosted JavaScript into a secure page.<p>We avoid this entirely (also hosting medical data), though it's been a bit of extra work to do so.<p>I'm sure Chartbeat, Mathtag, Mixpanel, Google, etc. are reasonably careful about their security, and of course they would suffer as well if one of the servers/scripts was compromised and the breach was made public.<p>But in short -- healthcare.org's security <i>relies</i> on the idea that <i>none</i> of these many 3rd parties will ever have a CDN server compromised, for example. Or (in other situations) have the NSA demand access.<p>It just takes one -- and then an "improved" script could be delivered to only clients visiting a single targeted site, or even specific targeted clients. The normal customer just sees the lock icon and can verify that there's a secure connection to the main host; but there are actually many other connections going on to other hosts, and any of them may provide a script that can access any sensitive data on the page.
What else could one <i>possibly</i> expect when an industry has succeeded at convincing the government to make buying their product mandatory?!<p>I know the EFF focuses specifically on informational issues, but stirring outrage over one abuse of a captive market when such abuses are <i>by design</i> is a disservice to general sanity.
More government doing shitty things not in its charter. I'm numb to this abuse. Next up: increased taxes + inflation.<p>I hope I live to see the day that the laws are twisted and shredded such that all corporate-government data about every person is available for purchase. I'd love to have that detailed record of everything I've said, thought, places I've been, etc since ~Y2K. How cool would that be?<p>I've heard it said that future cultural anthropologists of the future will absolutely love mining the rich personal data coming out of this period of time.
If you're looking for a better place to go than healthcare.gov, give us a try at stridehealth.com. Bunch of ex-privacy folks and healthcare folks - can shop from your phone. Pretty shocking to see such a novice mistake by an org I think we were all expecting to take it up a level this year.
I heard something awhile back about the us government(NSA) leveraging the cookie in a way that they could use it as a surveillance beacon. I doubt there is any relation, but it makes you think a bit.<p>[1] <a href="https://www.eff.org/deeplinks/2013/12/nsa-turns-cookies-and-more-surveillance-beacons" rel="nofollow">https://www.eff.org/deeplinks/2013/12/nsa-turns-cookies-and-...</a>
One of the heavily trafficked sites in India (Railway Booking) has been showing Google adsense ads. Someone is making a Million dollars a month in Government :)<p><a href="https://www.irctc.co.in/eticketing/loginHome.jsf" rel="nofollow">https://www.irctc.co.in/eticketing/loginHome.jsf</a><p>536 Global Rank (50 in India):
<a href="http://www.alexa.com/siteinfo/www.irctc.co.in" rel="nofollow">http://www.alexa.com/siteinfo/www.irctc.co.in</a>