EFF researchers have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.

In some cases the information is also sent embedded in the request string itself, like so:

https://4037109.fls.doubleclick.net/activityi;src=...type=20142003;cat=201420;ord=7917385912018;~oref=https://www.healthcare.gov/seeplans/85601/results/county=04019&age=40&smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000& &step=4?

In the above example, a URL at doubleclick.net is requested by your browser. Appended to the end of this URL is your age, smoking status, preganacy status, parental status, zip code, state and annual income. This URL is requested by your browser after you fill out the required information on healthcare.gov and click the button to view health insurance plans that you are eligible for.

Advertisement

The following is a table showing which third party domains EFF researchers confirmed were receiving the private health data.

DomainPII in referrerPII in request
Akamai.net
Chartbeat.net
Clicktale.net
Doubleclick.net
Google.com
Mathtag.com
Mixpanel.com
Nrd-data.net
Optimizely.com
Reson8.com
Rfihub.com
Twitter.com
Yahoo.com
Youtube.com

Sending such personal information raises significant privacy concerns. A company like Doubleclick, for example, could match up the personal data provided by healthcare.gov with an already extensive trove of information about what you read online and what your buying preferences are to create an extremely detailed profile of exactly who you are and what your interests are. It could do all this based on a tracking cookie that it sets which would be the same across any site you visit. Based on this data, Doubleclick could start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker. Doubleclick might start to show you ads related to pregnancy, which could have embarrassing and potentially dangerous consequences such as when Target notified a woman's family that she was pregnant before she even told them.

Sponsored

It's especially troubling that the U.S. government is sending personal information to commercial companies on a website that's touted as the place for people to obtain health care coverage. Even more troubling is the potential for companies like Doubleclick, Google, Twitter, Yahoo, and others to associate this data with a person's actual identity. Google, thanks to real name policies, certainly has information uniquely identifying someone using Google services. If a real identity is linked to the information received from healthcare.gov it would be a massive violation of privacy for users of the site.

Third-party resources could also introduce additional security risks to the healthcare.gov website, with each included third-party resource increasing the attack surface of the site. If an attacker were able to compromise just one of the third party resources included on healthcare.gov they could potentially compromise the accounts of every user of healthcare.gov. The attacker could then sell the Private Health Information or hold it for ransom.

For now, EFF recommends installing software that will block third party tracking, such as EFF's own Privacy Badger. Privacy badger will block the referrers and the connections to third party sites on healthcare.gov and protect your personal health information.

Health information is some of the most sensitive and personal information there is. People's private medical data should not be available to third party companies without consent from the user. This practice is negligent at best, and potentially devastating for consumers. At a miminum, healthcare.gov should disable third-party trackers for any user that requests an opt out using the DNT header. Arguably, healthcare.gov should meet good privacy standards for all its users.

President Obama will give his State of the Union speech tonight, in which he is expected to address cybersecurity issues. If President Obama is really concerned about cybersecurity, he may want to start in his own backyard, by securing healthcare.gov.

This post first appeared on Electronic Frontier Foundation and republished here under Creative Commons license.