Experts have long warned that Healthcare.gov, the federal insurance-exchange website, lacks the necessary security measures to protect consumers’ privacy, and now a new vulnerability has been uncovered. According to the Associated Press, “dozens” of third-party websites track Healthcare.gov users’ activity — including some very personal details — potentially enabling them to profit from such data.
The AP asked Catchpoint Systems, which specializes in Internet performance testing and monitoring, to evaluate Healthcare.gov’s performance. The company “came across some 50 third-party connections embedded on HealthCare.gov,” the news service reported. “They attracted attention because such connections can slow down websites. They work in the background, unseen to most consumers.”
This was no mere fluke. The AP ran its own test and found that “in one 10-minute visit to HealthCare.gov recently, dozens of websites were accessed behind the scenes. They included Google’s data-analytics service, Twitter, Facebook and a host of online advertising providers.” Some of these outside websites “can even glean details such as your age, income, ZIP code, whether you smoke or if you are pregnant.”
“Anything that is health-related is something very private,” Catchpoint CEO Mehdi Daoudi told the AP. “Personally, I look at this, and I am on a government website, and I don’t know what is going on between the government and Facebook, and Google, and Twitter. Why is that there?”
The Obama administration maintains that such third-party connections exist to help the government improve the website but that consumers needn’t be concerned that these outside parties might use this information for personal gain.
Outside vendors “are prohibited from using information from these tools on HealthCare.gov for their companies’ purposes,” spokesman Aaron Albright told the AP. The tools, he said, are used to measure website performance so that consumers get “a simpler, more streamlined and intuitive experience.”
“The administration did not explain how it ensures that its privacy and security policies are being followed,” noted the AP. Albright said the website complies with National Institute for Standards and Technology (NIST) standards, though the AP pointed out that “recent NIST guidance cautions that collecting bits of seemingly random data can be used to piece together someone’s identity.”
And that’s just the point. While the embedded third-party sites may not be able to obtain a user’s name, birth date, or Social Security number from Healthcare.gov, by using his computer or mobile device’s IP address, they may be able to connect the data they’re getting from the exchange site with data from other websites, giving them a fairly clear picture of that individual’s health, interests, and family life. That, in turn, could be used to target that person for commercial purposes.
Such targeting could be either for good (offering discounts on products he may need) or for ill (denying him life insurance because of potential health problems or risky behaviors). But it is certainly not what Americans expect the government to be doing with the sensitive information they are now practically required by law to provide.
“I think that this could erode … confidentiality when dealing with medical data and medical information,” Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a civil-liberties organization, told the AP.
Some might argue that this behind-the-scenes data sharing is no different from what occurs on private websites. The difference, however, is that some people, by virtue of the existence of ObamaCare, are more or less required to supply this information, whereas no one is forced to visit, e.g., Amazon.com. Moreover, those companies gleaning data from Healthcare.gov are doing so at the invitation of the government, giving them an unfair competitive edge over others. As one commenter at American Thinker put it, “Those getting a wealth of data [from] the clicks are certainly cronies essentially thriving off the tax payer and the violent coercion forcing people to the government website.”
The AP wrote that thus far, “there is no evidence that personal information from HealthCare.gov has been misused, but the high number of outside connections is raising questions.”
“As I look at vendors on a website … they could be another potential point of failure,” corporate cybersecurity consultant Theresa Payton told the AP. “Vendor management can often be the weakest link in your privacy and security chain.”
After all, the more times data is replicated to different servers, the more opportunities there are for security breaches. Thus, even if vendors don’t profit from Healthcare.gov data, hackers just might.
Security has never been one of Healthcare.gov’s strong points. ABC News reported that “the website ultimately went live … without ever having undergone complete end-to-end-security testing.” Since then, numerous security experts have warned of vulnerabilities in the system, and last summer hackers were able to upload malware onto a Healthcare.gov test server, though supposedly no personal information was compromised. Shortly thereafter, the Obama administration refused to release any information on the website’s security when the AP requested it under the Freedom of Information Act. It similarly denied such information to the House Science, Space, and Technology Committee.
“The Obama administration has failed to provide this committee with information about the security of the ObamaCare website,” committee chairman Lamar Smith (R-Texas) said in October, “What is the White House trying to hide? The American people deserve to know their personal information on HealthCare.gov is absolutely secure.”
With every passing day, however, the security of Healthcare.gov — and the administration’s concern for average Americans — is called into greater question.