Skip to main content

Healthcare.gov sends user information to third parties, violating its own privacy policy

Healthcare.gov sends user information to third parties, violating its own privacy policy

Share this story

Obamacare Healthcare.gov website (STOCK)
Obamacare Healthcare.gov website (STOCK)

Here's more evidence of cutting corners during the development of the Healthcare.gov insurance marketplace: the website appears to be violating its own privacy policy by sending private user information to third parties.

Security researcher Ben Simo noticed that Healthcare.gov was sending his user name and password reset code to third party partners including the analytics services Pingdom, DoubleClick, and Google Analytics.

The risk to users is low since the information is encrypted as it is sent, and those partners are all reputable companies. However, the oversight may constitute a violation of the site's own privacy policy, which says, "No personally identifiable information is collected by these tools."

Facebook and Myspace were fined by the Federal Trade Commission (FTC) for similar infractions last year.

"We don't want and don't use this type of data."

What's more, there is no need to send user names or password reset codes to third parties. "We don't want and don't use this type of data," a representative for Google, which owns DoubleClick and Google Analytics, says in an email to The Verge. "Thanks for raising this — we're looking into it."

User names and password reset codes "are not of interest to Pingdom," Sam Nurmi, CEO of Pingdom, says in an email. The company was discarding user names and password reset codes, but rewrote its software in order to reject the information outright, he says.

"This is the sort of thing that the FTC has fined other companies over," Simo says. "The fact that they're doing this gives me more reason to be concerned about their overall approach to security. Do they really understand how to build a secure site?"

Simo also discovered another security hole on Healthcare.gov that could have allowed hackers to reset users' passwords. That hole has been patched, but other issues remain. He notes that the insurance application retains data and returns it to the browser, which appears to violate a clause in the privacy policy that says, "we will maintain the information you provide only as long as needed to respond to your question or to fulfill the stated purpose of the communication."

Facebook and Myspace were fined by the Federal Trade Commission for similar infractions

Department of Health and Human Services (HHS) chief Kathleen Sebelius addressed security concerns in her testimony during a Congressional oversight hearing yesterday. "The highest security standards are in place and people have every right to expect privacy," she says. "I do absolutely commit to protecting the privacy of the American public. We should be held accountable for protecting privacy."

Centers for Medicare and Medicaid Services, the division of HHS that administers Healthcare.gov, did not respond to a request for comment on the transmission of private data in apparent violation of Healthcare.gov's privacy policy.

The website has had problems with basic functionality, which the administration promises to have fixed by the end of November. It's now looking like security and privacy were overlooked in the rush to open the marketplace by October 1st, the deadline mandated by the Affordable Care Act which requires all Americans to have health insurance. An internal administration memo leaked yesterday warned of "high" risks due to the lack of time to do a security audit.