14 DAY TRIAL // Health insurance information is sent by HealthCare.gov to advertising companies that track data from websites for marketing purposes.
Among the details passed to third parties there is a person’s zip code, financial status, whether the user is a smoker, age, parental status, or if they are pregnant.
Data is sent through the referrer header
The report comes from the Associated Press and it has been confirmed by tests carried out by the Electronic Frontier Foundation (EFF).
It appears that at the receiving end of HealthCare.gov’s data are companies like Google, Twitter, Yahoo and Akamai. However, EFF has discovered that there are 14 domains getting the information from the US government’s health insurance website, even if the Do Not Track header is turned on in the user’s web browser.
“The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web,” EFF’s Cooper Quintin writes in a blog post.
Attackers could steal the data from advertisers
Apart from the obvious privacy breach, there is also a security risk users of the website are unnecessarily exposed to.
If an attacker breaches the computer network of one of the third-party entities storing the health information, they could use it for nefarious purposes, such as demanding a ransom in return.
The Associated Press says that the IP address is also leaked by the website, which could lead to identifying a person by name and address. Mixed with all the other details collected, advertisers could deploy a marketing campaign serving products the user is highly likely to purchase.
EFF also reached this conclusion, Quintin saying that these details allow Doubleclick (Google subsidiary) to “start showing you smoking ads or infer your risk of cancer based on where you live, how old you are and your status as a smoker.”
Although it is unclear why the data is sent to other entities, this may very well be the case of an oversight from web developers. At the moment, there is no information about possible misuse of consumers' details.