Californians seeking health insurance through the state’s official Affordable Care Act marketplace have unknowingly had their sensitive medical information shared with LinkedIn, according to recent forensic testing. The investigation revealed concerning privacy violations that could affect millions of residents who used the Covered California website.<\/p>\n
An investigation by CalMatters uncovered that coveredca.com was sending highly sensitive health information to LinkedIn without users’ knowledge or permission. When visitors completed forms on the website, embedded trackers were simultaneously transmitting their responses to LinkedIn, including deeply personal health information.<\/p>\n
The data being shared included responses to questions about:<\/p>\n
This unauthorized data sharing continued for more than a year, according to a Covered California spokesperson, who confirmed the LinkedIn campaign began in February 2024. The investigation found this sensitive information was being transmitted as part of an advertising strategy.<\/p>\n
Once confronted with the findings, Covered California quickly removed the tracking mechanisms from their website. Kelly Donohue, a spokesperson for the agency, stated that “all active advertising-related tags across our website have been turned off out of an abundance of caution.”<\/p>\n
The organization has initiated a comprehensive review of their website security protocols and privacy practices to ensure no analytics tools are improperly sharing sensitive consumer information. Covered California has promised to share additional findings as they become available and take necessary steps to safeguard user data privacy.<\/p>\n
As of April 21, CalMatters confirmed that most ad trackers, including Meta’s “pixel” tracker and all third-party cookies, had been removed from the site. The organization attributed the removal to “a marketing agency transition” that occurred in early April.<\/p>\n
The investigation revealed that Covered California’s website contained over 60 different trackers \u2013 a staggering number compared to other government websites. When CalMatters and The Markup scanned hundreds of California state and county government websites that offer services for undocumented immigrants, they found that the average site had only three trackers.<\/p>\n
While many trackers collected relatively innocuous information like page views, the LinkedIn trackers captured much more sensitive data, including:<\/p>\n
The data was transmitted through LinkedIn’s “Insight Tag” \u2013 a tracking tool that organizations can place on their websites. This tool allows businesses to later target advertisements on LinkedIn to consumers who have shown interest in their products or services.<\/p>\n
Covered California defended the use of such tools, stating that the organization “leverages LinkedIn’s advertising platform tools to understand consumer behavior and deliver tailored messages to help them make informed decisions about their healthcare options.”<\/p>\n
However, LinkedIn’s own guidelines explicitly state that the Insight Tag “should not be installed on web pages that collect or contain Sensitive Data,” including “pages offering specific health-related or financial services or products to consumers.”<\/p>\n
LinkedIn spokesperson Brionna Ruff emphasized this point, stating: “Our Ads Agreement and documentation expressly prohibit customers from installing the Insight Tag on web pages that collect or contain sensitive data, including pages offering health-related services. We don’t allow advertisers to target ads based on sensitive data or categories.”<\/p>\n
This type of data collection has previously led to lawsuits and regulatory scrutiny. LinkedIn already faces multiple proposed class-action lawsuits related to the collection of medical information, including three new lawsuits filed in California courts in October alleging privacy violations related to medical appointment sites.<\/p>\n
In California, the California Confidentiality of Medical Information Act requires organizations to obtain permission before disclosing medical information to third parties. However, experts argue that current protections are insufficient.<\/p>\n
Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, expressed alarm at the situation, calling it “concerning and invasive” for a health insurance website to share data that was “wholly irrelevant” to a for-profit company like LinkedIn.<\/p>\n
“This is an exact example of why we need better protections,” Geoghegan stated. “This is sensitive health information that consumers expect to be protected and a lack of regulations is failing us.”<\/p>\n
The potential privacy breach affects a significant portion of California’s population. Since 2014, Covered California has provided health insurance to millions of residents through the state exchange established under the Affordable Care Act.<\/p>\n
In March, the organization announced record enrollment numbers, with nearly 2 million people covered through the program. According to their statistics, approximately one in six Californians have at some point been enrolled through Covered California.<\/p>\n
Between 2014 and 2023, the state’s uninsured rate dropped dramatically from 17.2% to 6.4% \u2013 the largest decrease of any state during that time period. This coincided with a series of eligibility expansions to Medi-Cal, California’s health insurance program for lower-income households.<\/p>\n
This incident highlights the growing tension between digital marketing practices and consumer privacy expectations, particularly regarding sensitive health information. Social media companies’ tracking practices have fueled tremendous growth in the tech industry, but few web users understand the extent of this tracking.<\/p>\n
“This absolutely contradicts the expectation of the average consumer,” Geoghegan noted.<\/p>\n
Previous investigations by The Markup have uncovered similar privacy concerns, including the Department of Education sending personal information to Facebook when students applied for college financial aid online. Such revelations have led to regulatory actions, including a Federal Trade Commission crackdown on telehealth companies transmitting personal information without user consent.<\/p>\n
As digital health services continue to expand, the need for stronger privacy protections becomes increasingly urgent to ensure that sensitive personal health information remains confidential and secure.<\/p>\n
Discover the latest\u00a0payers\u2019 news updates<\/strong><\/a>\u00a0with a single click. Follow\u00a0DistilINFO HealthPlan<\/a>\u00a0and stay ahead with updates. Join our community today!<\/p>\n","protected":false},"excerpt":{"rendered":"