WASHINGTON – The government's health insurance website is quietly sending consumers' personal data to private companies that specialize in advertising and analyzing Internet data for performance and marketing, The Associated Press has learned.
The scope of what is disclosed or how it might be used was not immediately clear, but it can include age, income, ZIP code, whether a person smokes, and if a person is pregnant. It can include a computer's Internet address, which can identify a person's name or address when combined with other information collected by sophisticated online marketing or advertising firms.
The Obama administration says HealthCare.gov's connections to data firms were intended to help improve the consumer experience. Officials said outside firms are barred from using the data to further their own business interests.
There is no evidence that personal information has been misused. But connections to dozens of third-party tech firms were documented by technology experts who analyzed HealthCare.gov and then confirmed by AP. A handful of the companies were also collecting highly specific information. That combination is raising concerns.
Leading lawmakers on Tuesday asked the administration to explain how it oversees the data firms to make sure no personally identifiable information is improperly used or shared.
"This new information is extremely concerning, not only because it violates the privacy of millions of Americans, but because it may potentially compromise their security," Sens. Orrin Hatch, R-Utah, and Charles Grassley, R-Iowa, wrote to the administration.
Created under the president's health care law, HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job. It serves consumers in 37 states, while the remaining states operate their own insurance markets.
A former White House chief information officer, Theresa Payton, said third-party vendors are a weak link on any website. She questioned both the number of vendors on HealthCare.gov and the specific details some of them are collecting.
"You don't need all of that data to do customer service," said Payton, who served under President George W. Bush. "We know hackers are just waiting at the door, salivating to get at this data."
The privacy concerns come against the backdrop of President Barack Obama's new initiative to protect personal data online. Separately, the administration is getting the health care website ready for the final enrollment drive of 2015, aiming to have more than 9 million people signed up by Feb. 15 for subsidized private coverage.
Administration spokesman Aaron Albright said outside vendors "are prohibited from using information from these tools on HealthCare.gov for their companies' purposes." The government uses them to measure the performance of HealthCare.gov so consumers get "a simpler, more streamlined and intuitive experience," he said.
The administration did not explain how it ensures that companies were following the government's privacy and security policies.
Albright said HealthCare.gov comports with standards set by the federal National Institute for Standards and Technology. But recent NIST guidance cautions that collecting bits of seemingly random data can be used to piece together someone's identity.
In a recent visit to the site, AP found that certain personal details – including age, income and smoking habits – were being passed along, likely without consumers' knowledge, to advertising and Web analytics sites.
Google said it doesn't allow its systems to target ads based on health or medical history information. "When we learn of possible violations of this policy, we investigate and take swift action," the company said in a statement.
Still, the outside connections surprised a tech expert who evaluated HealthCare.gov's performance for the AP.
"Personally, I look at this ... and I don't know what is going on between the government and Facebook, and Google, and Twitter," said Mehdi Daoudi, CEO of Catchpoint Systems. "Why is that there?"
Tracking consumers' Internet searches is a lucrative business, helping Google, Facebook and others tailor ads to customers' interests. Because your computer and mobile devices can be assigned an individual signature, profiles of Internet users can be pieced together, generating lists that have commercial value.
Third-party sites embedded on HealthCare.gov can't see your name, birth date or Social Security number. But they may be able to correlate the fact that your computer accessed the government website with your other Internet activities.
Have you been researching a chronic illness like coronary artery blockage? Do you shop online for smoking-cessation aids? Are you investigating genetic markers for a certain type of breast cancer? Are you seeking help for financial problems, or for an addiction?
Daoudi's company, Catchpoint Systems, came across some 50 third-party connections embedded on HealthCare.gov. They work in the background, unseen to most consumers.
The AP replicated the results. In one 10-minute visit to HealthCare.gov recently, dozens of websites were accessed behind the scenes. They included Google's data-analytics service, Twitter, Facebook and a host of online advertising providers.
"I think that this could erode ... confidentiality when dealing with medical data and medical information," said Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a civil liberties group.