The Electronic Frontier Foundation, a technology policy advocacy group, says it has confirmed that the federal government's Healthcare.gov is sharing personal data, including ZIP code, income level, smoking status, pregnancy status, and more, with at least 14 third parties.
"EFF researchers have independently confirmed that Healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track," EFF staff technologist Cooper Quintin writes in an EFF blog post after recent Associated Press reports.
According to Quintin, the information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header, he wrote, lets the requested resource know what URL the request came from. In this case, the referrer URL contains personal health information.
Among the companies EFF technologists say the site is sharing information with are network optimization developer Akamai, Yahoo, Twitter, and Google and numerous Google subsidiaries such as Doubleclick and YouTube.
"Third-party resources could also introduce additional security risks to the Healthcare.gov website, with each included third-party resource increasing the attack surface of the site," Quintin cautions. "If an attacker were able to compromise just one of the third party resources included on Healthcare.gov they could potentially compromise the accounts of every user of Healthcare.gov."
Government officials told the Associated Press the information is being used only to measure the performance of Healthcare.gov to assess and improve the user experience on the site. While the government site's privacy policy explicitly says it does not collect personally identifiable information about a visitor unless the visitor chooses to share that, it also states that such information may be used if that user has agreed to use by a third party:
"Healthcare.gov sometimes collects and uses your PII if you made it available through third-party websites," it states. "However, we do not share PII made available through third-party websites. Your activity on the third-party websites we use is governed by the security and privacy policies of those sites. You should review the third-party privacy policies before using the sites and ensure that you understand how your information may be used."
