HealthCare.gov is shuttling personal data to third parties

The HealthCare.gov website is no stranger to controversy, and latest to that is a discovery that some personal details about users — including how old they are, their state and zip code, annual income, parental status, and more — are being delivered to more than a dozen third-party websites. The information was first revealed by the Associated Press, and has since been investigated and confirmed by the Electronic Frontier Foundation (EFF.org). The information is being shared even if Do Not Track has been enabled.

According to EFF, the personal information is being sent through the referrer header, and that in some instances — demonstrated below — the data is included in the request string. A minimum of 14 domains are receiving the information, including Clicktale, Doubleclick, Mathtag, Mixtag, Akamai, Chartbeat, Google, and more.

The personal information is coming from the users, which input it when searching for whether they are eligible for coverage or to see a list of applicable health care plans. When this information is shared with other sites — Doubleclick, for example — it can be used to show you more relevant ads, such as smoking or anti-smoking ads if you've marked yourself as a smoker.

This has raised significant privacy concerns, and it isn't the first time such have arisen regarding the site. Around this time last year, for example, 70,000 records were accessed over a handful of minutes to make a strong point about security issues the site faced.

SOURCE: EFF.org