Third-party connections prompt more privacy concerns about ObamaCare site

A little-known side to the government's health insurance website is prompting renewed concerns about privacy, just as the White House is calling for stronger cybersecurity protections for consumers.

It works like this: When you apply for coverage on HealthCare.gov, dozens of data companies may be able to tell that you are on the site. Some can even glean details such as your age, income, ZIP code, whether you smoke or if you are pregnant.

The data firms have embedded connections on the government site. Ever-evolving technology allows for individual Internet users to be tracked, building profiles that are a vital tool for advertisers.

Connections to multiple third-party tech firms were documented by technology experts who analyzed HealthCare.gov, and confirmed by The Associated Press. There is no evidence that personal information from HealthCare.gov has been misused, but the number of outside connections is raising questions.

"As I look at vendors on a website...they could be another potential point of failure," said corporate cybersecurity consultant Theresa Payton. "Vendor management can often be the weakest link in your privacy and security chain."

A former White House chief information officer under President George W. Bush, she said the large number of outside connections on HealthCare.gov seems like "overkill" and makes it "kind of an outlier" among government websites.

The privacy concerns come against the backdrop of President Barack Obama's new initiative to protect personal data online, a highlight of his State of the Union message scheduled for Tuesday night. The administration is getting the health care website ready for the final enrollment drive of 2015, aiming to have more than 9 million people signed up by Feb. 15 for subsidized private coverage.

Medicare spokesman Aaron Albright said outside vendors "are prohibited from using information from these tools on HealthCare.gov for their companies' purposes." The government uses them to measure the performance of HealthCare.gov so consumers get "a simpler, more streamlined and intuitive experience," he added.

The administration did not explain how it ensures that privacy and security policies are being followed.

Third-party outfits that track website performance are a standard part of e-commerce. HealthCare.gov's privacy policy says in boldface that "no personally identifiable information is collected" by these web measurement tools.

But in a recent visit to the site, AP found that certain personal details -- including age, income, and whether you smoke -- were being passed along likely without your knowledge to advertising and Web analytics sites.

Google said Monday it doesn't use that kind of data or allow its systems to target ads based on health or medical history information. "When we learn of possible violations of this policy, we investigate and take swift action," the company said in a statement.

Still, the outside connections surprised a tech expert who evaluated HealthCare.gov's performance for AP.

"Anything that is health-related is something very private," said Mehdi Daoudi, CEO of Catchpoint Systems. "Personally, I look at this, and I am on a government website, and I don't know what is going on between the government and Facebook, and Google, and Twitter. Why is that there?"

Created under the president's health care law, HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job.

Tracking consumers' Internet searches is a lucrative business, helping Google, Facebook and others tailor ads to customers' interests. Because your computer and mobile devices can be assigned an individual signature, profiles of Internet users can be pieced together, generating lists that have commercial value.

Third-party sites embedded on HealthCare.gov can't see your name, birth date or Social Security number. But they may be able to correlate the fact that your computer accessed the government website with your other Internet activities.

Have you been researching a chronic illness like coronary artery blockage? Do you shop online for smoking-cessation aids? Are you investigating genetic markers for a certain type of breast cancer? Are you seeking help for financial problems, or for an addiction?

Daoudi's company -- Catchpoint Systems-- came across some 50 third-party connections embedded on HealthCare.gov. They attracted attention because such connections can slow down websites. They work in the background, unseen to most consumers.

The AP was able to replicate the results. In one 10-minute visit to HealthCare.gov recently, dozens of websites were accessed behind the scenes. They included Google's data-analytics service, Twitter, Facebook and a host of online advertising providers.

Aldo Cortesi, a security consultant who reviewed the AP's findings, found a number of third-party trackers that could log a user's actions in detail. Cortesi said there can be legitimate uses for such trackers, but said questions linger over the level of detailed information that could be sent to private parties.

"Third-party embedded websites are troubling because they can be used to track you and track your reading when you're browsing the Web," said Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a civil liberties group.

"I think that this could erode ... confidentiality when dealing with medical data and medical information," said Quintin, who also reviewed the AP's results.

HealthCare.gov is currently serving consumers in 37 states, while the remaining states operate their own insurance markets. The administration has set a nationwide goal of 9.1 million people signed up through the insurance exchanges this year and paying their premiums.