Some states shared private health information with Big Tech
05:44 Share

In business, they say you can have better, cheaper, or faster, but you only get to pick two. What if you could have all three at the same time? That's exactly what Cohere Thompson Reuters and Specialized Bikes have, since they upgraded to the next generation of the cloud, Oracle Cloud Infrastructure.

OCI is the blazing fast platform for your infrastructure, database, application development, and AI needs, where you can run any workload in a high-availability, consistently high-performance environment, and spend less than you would with other clouds.

How is it faster? OCI's block storage gives you more operations per second. Cheaper? OCI costs up to 50% less for compute, 70% less for storage, and 80% less for networking. Better? In test after test, OCI customers report lower latency and higher bandwidth versus other clouds. This is the cloud built for AI and all your biggest workloads.

Right now, with zero commitment, try OCI for free. Head to oracle.com slash marketplace tech. That's oracle.com slash marketplace tech. Hey, if you're listening to this, I will assume you're at least interested in money, understanding the economy and finances as well. And some of us now want to get the next generation interested as well.

So check out Million Bazillion, Marketplace's award-winning kids podcast that breaks down money to help dollars make more sense. Tune into Million Bazillion wherever you find your favorite podcasts. A whole new season is out now. Million Bazillion is presented in partnership with Greenlight, the debit card and money app for kids and teens. Greenlight helps kids and teens learn to earn, save, spend wisely, and invest. When you sign up for a Greenlight account at greenlight.com slash millions.

Are Affordable Care Act exchanges keeping your health information secure? From American Public Media, this is Marketplace Tech. I'm Novosafo. By law, your health information is private, but apparently not on some state-run websites that help people sign up for Affordable Care Act coverage. According to investigations by the online news sites The Markup and CalMatters,

Some state health insurance exchanges sent sensitive patient information to social media companies, apparently by mistake. Tomas Apodaca from CalMatters and The Markup followed the digital breadcrumbs. We found that California was leaking data to LinkedIn. After we published our findings on that investigation, we decided to check the other 19 states and Washington, D.C., that also operate their own health care exchanges online.

and found four additional states sharing data. That was Maine, Rhode Island, Nevada, and Massachusetts.

And they shared data without realizing they were sharing data? So yes, all the exchanges that responded to our question said that this data sharing was inadvertent, that they had set up these trackers for various purposes to help them reach uninsured residents of their states or to track visitors' activity on their sites so they could understand how people were using their sites and possibly also support their advertising campaigns.

And what kind of information did these state healthcare exchanges share with outside companies? And I believe the companies we're talking about are Google, LinkedIn, and Snap. So a lot of the leaking we found was through pre-screening tools, essentially tools that would ask you a series of questions. You know, is a member of your household pregnant? Is a member of your household blind or disabled?

We found California and Massachusetts both sending the answers to those questions to LinkedIn. Other states like Nevada, Maine, and Rhode Island all asked information about prescription medications. So what are the names of medications that people in your household take and what are the dosages that they take? We found Nevada sending that information to both LinkedIn and Snapchat and Maine and Rhode Island sent that information to Google.

And how big a trouble are states in now that this information has come out that this has happened? In the case of California, there has been a class action lawsuit filed that's looking for class action status. The lawsuit is against LinkedIn and Google, saying that when they received this information from the California exchange, they were breaking California and federal privacy laws. And some federal lawmakers have started to take notice of

A California lawmaker sent a letter to the Department of Health and Human Services asking them whether Covered California, the California exchange, had violated HIPAA in this case. And some Republicans on the House Committee on Energy and Commerce have sent a letter to Covered California asking them for the answers to a series of questions and for documentation about, you know, how exactly did this happen and what other trackers are they using? What kind of data is it sending? We'll be right back.

This Marketplace podcast is supported by Dell. Introducing the new Dell AI PC powered by Intel Core Ultra Processor. It's not just an AI computer. It's a computer built for AI.

That means it's built to help you do your busy work for you. So you can fast forward through editing images, designing presentations, generating code, debugging code, running lots of apps without lag, creating live translations and captions, summarizing meeting notes, extending battery life, enhancing security, finding that file you were looking for, managing your schedule, meeting your deadlines, responding to those long emails, leaving all the time in the world for more you time and for the things you actually want to do.

Get a new Dell AI PC starting at $699.99 at dell.com slash AI dash PC. How those ahead stay ahead.

This Marketplace podcast is supported by Palo Alto Networks. Enterprises are deploying and experimenting with AI apps and agents, often without the right security in place. Leverage the power of a comprehensive AI platform to secure AI at every step, from apps, agents, models, and data. Deploy AI bravely with Prisma Airs. More at paloaltonetworks.com.

You're listening to Marketplace Tech. I'm Novosafo. We're back with Tomas Apodaca. He's with the news sites CalMatters and The Markup, which uncovered evidence that some state health insurance exchange websites were transmitting sensitive patient data to social media companies. What have we heard from the tech companies? What have they said?

They have pretty uniformly pointed to their own sites where they offer this code and it does explicitly say, "We don't want this information. Don't place these trackers on parts of your site that collect this type of information."

Google, I think, explicitly said we do not make any claim to be covered by HIPAA or the Health Insurance Portability and Accountability Act. But the whole purpose of these trackers is to collect information so that it can be associated with people. If you're visiting one of these healthcare exchange websites and maybe you get halfway through applying for a plan and then

leave to go somewhere else. The healthcare exchange wants to know about that so that they can reach out to you through advertising and say, "Hey, you didn't finish. You still need healthcare. Please come back and finish applying. We want you to be covered in our state." So in order for that kind of outreach to happen, you have to know something about the person who visited your site, whether it was their IP address, what browser they were using, in order to be able to target them with ads later on on other websites.

And what does it tell us about the technology involved, whether it's at the state side or the internet advertising kind of ecosystem, that this kind of mistake can happen? It is incredibly complex. But I would say that if you're a state running a healthcare exchange, it is incumbent on you to manage that complexity.

You're managing sensitive data and you need to take extra steps and treat the residents of your state's data with extra care. So I think what we might find less surprising in a commercial website using trackers, I think is a little more serious or surprising when a state-run site is doing it.

That was Tomas Apodaca of CalMatters and the Markup. We'll have links to his stories with lots more details on our website, marketplacetech.org. Jesus Alvarado produced this episode. I'm Novosafo, and that's Marketplace Tech. This is APM.

This Old House has been America's most trusted source for all things DIY and home improvement for decades. And now we're on the radio and on demand. I think you're breaking into this wall regardless. I was hoping you wouldn't say that. I need to go and get some whiskey, I think. I would get the whiskey for sure. Subscribe to This Old House Radio Hour from LAist Studios, wherever you get your podcasts.