WASHINGTON (AP) — The government's health insurance website is quietly passing along consumers' personal data to outside websites, just as President Barack Obama is calling for stronger cybersecurity protections.
It works like this: When you apply for coverage on HealthCare.gov, dozens of data companies may be able to tell that you are on the site. Some can even glean details such as your age, income, ZIP code, whether you smoke or if you are pregnant.
HealthCare.gov contains embedded connections to multiple data firms that the administration says generate analysis to improve the consumer experience. Officials say outside firms barred are from using the data to further their own business interests.
Still, ever-evolving technology allows for individual Internet users to be tracked, building profiles coveted by advertisers.
Connections to third-party tech firms were documented by technology experts who analyzed HealthCare.gov, and were confirmed by The Associated Press. There is no evidence that personal information from HealthCare.gov has been misused, but the high number of outside connections is raising questions.
"As I look at vendors on a website…they could be another potential point of failure," said corporate cybersecurity consultant Theresa Payton. "Vendor management can often be the weakest link in your privacy and security chain."
A former White House chief information officer under President George W. Bush, she said the large number of outside connections on HealthCare.gov seems like "overkill" and makes it "kind of an outlier" among government websites.
The privacy concerns come against the backdrop Obama's new initiative to protect personal data online, a highlight of his State of the Union message scheduled for Tuesday night. The administration is getting the health care website ready for the final enrollment drive of 2015, aiming to have more than 9 million people signed up by Feb. 15 for subsidized private coverage.
Spokesman Aaron Albright said outside vendors "are prohibited from using information from these tools on HealthCare.gov for their companies' purposes." The government uses them to measure the performance of HealthCare.gov so consumers get "a simpler, more streamlined and intuitive experience," he added.
The administration did not explain how it ensures that its privacy and security policies are being followed.
Albright said Tuesday that HealthCare.gov comports with standards set by the federal National Institute for Standards and Technology. But recent NIST guidance cautions that collecting bits of seemingly random data can be used to piece together someone's identity.
In a recent visit to the site, AP found that certain personal details — including age, income, and whether you smoke — were being passed along likely without your knowledge to advertising and Web analytics sites.
Third-party outfits that track website performance are a standard part of e-commerce. HealthCare.gov's privacy policy says in boldface "no personally identifiable information is collected" by these web measurement tools.
Google said Monday it doesn't allow its systems to target ads based on health or medical history information. "We don't want and don't use that kind of data," the company said in a statement. "When we learn of possible violations of this policy, we investigate and take swift action."
Still, the outside connections surprised a tech expert who evaluated HealthCare.gov's performance for AP.
"Anything that is health-related is something very private," said Mehdi Daoudi, CEO of Catchpoint Systems. "Personally, I look at this, and I am on a government website, and I don't know what is going on between the government and Facebook, and Google, and Twitter. Why is that there?"
Created under the president's health care law, HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job.
Tracking consumers' Internet searches is a lucrative business, helping Google, Facebook and others tailor ads to customers' interests. Because your computer and mobile devices can be assigned an individual signature, profiles of Internet users can be pieced together, generating lists that have commercial value.
Third-party sites embedded on HealthCare.gov can't see your name, birth date or Social Security number. But they may be able to correlate the fact that your computer accessed the government website with your other Internet activities.
Have you been researching a chronic illness like coronary artery blockage? Do you shop online for smoking-cessation aids? Are you investigating genetic markers for a certain type of breast cancer? Are you seeking help for financial problems, or for an addiction?
Daoudi's company — Catchpoint Systems— came across some 50 third-party connections embedded on HealthCare.gov. They attracted attention because such connections can slow down websites. They work in the background, unseen to most consumers.
The AP was able to replicate the results. In one 10-minute visit to HealthCare.gov recently, dozens of websites were accessed behind the scenes. They included Google's data-analytics service, Twitter, Facebook and a host of online advertising providers.
Aldo Cortesi, a security consultant who reviewed the AP's findings, found a number of third-party trackers that could log a user's actions in detail. Cortesi said there can be legitimate uses for such trackers, but said questions linger over the level of detailed information that could be sent to private parties.
"I think that this could erode … confidentiality when dealing with medical data and medical information," said Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a civil liberties group. He also reviewed the AP's results.
HealthCare.gov is currently serving consumers in 37 states, while the remaining states operate their own insurance markets.
– by AP Reporters Ricardo Alonso-Zaldivar and Jack Gillum