HHS boosts privacy protections for HealthCare.gov

Website was sharing consumer data with third parties

HHS over the weekend said it is boosting privacy protections for U.S. residents' personal data on HealthCare.gov following reports last week that found the federal exchange website was sharing certain consumer data with third-party companies.

Background on the safety concerns

Last week, technology experts analyzing HealthCare.gov noted connections between the site and several third-party technology companies, prompting concerns about privacy. The investigation found that dozens of data companies might be able to determine when a user is on HealthCare.gov. Furthermore, according to the investigation, some companies might be able to piece together a user's age, income, ZIP code, and medical information.

From the archives: Hacker got into HealthCare.gov, uploaded malicious software

The third parties cannot see a user's name, birth date, or Social Security number, but they might be able to determine personal information by noting that a user accessed HealthCare.gov and comparing that with other Internet activities.

HealthCare.gov's privacy policies state that "no personally identifiable information" is collected by third-party Web measurement tools, which are considered a standard part of e-commerce. According to CMS spokesperson Aaron Albright, third-party vendors "are prohibited from using information from these tools on HealthCare.gov for their companies' purpose," adding that the government uses them for performance measurement purposes.

HHS announces new privacy protections

HHS said it added another encryption layer to the site to help reduce the amount of data that are shared with other companies. The changes will decrease the amount of information that is available to third parties for consumers using HealthCare.gov's window shopping feature. According to the Associated Press, an independent analysis of HealthCare.gov released on Saturday showed that the amount of embedded connections the site had with private companies fell from 50 to 30.

In addition, CMS in a statement on Saturday said it takes the privacy "questions seriously and immediately launched a review of [its] privacy policies, contracts for third party tools and URL constructions" and is "looking at whether there are additional steps [the agency] should take" to "further increase consumer privacy."


Sens. Chuck Grassley (R-Iowa) and Orrin Hatch (R-Utah) said the privacy discoveries are "extremely concerning" for consumers. Grassley has called on the Obama administration to explain how consumers' data were being used.

Meanwhile, Cooper Quintin, a staff technologist at the Electronic Frontier Foundation, said HHS' changes so far are "a great first step" to addressing privacy concerns, but he noted that the agency should do more, such as disabling third-party tracking for consumers who enable the "do not track" feature through their Web browsers.

Obamacare year two: Don't expect 'perfection' from HealthCare.gov

Lawmakers demand answers in letter to HHS

In related news, top Democrat and Republican lawmakers on the House Oversight Committee on Thursday sent a letter to HHS Secretary Sylvia Mathews Burwell asking for information about how the federal government is using and sharing consumers' personal data collected through the federal exchange, CNN reports.

Committee Chair Jason Chaffetz (R-Utah), Rep. Elijah Cummings (D-Md.), and three additional committee members in the letter wrote that they are "concerned ... that sensitive consumer information submitted by visitors to HealthCare.gov—such as age, income, and smoking habits—is being shared."

The letter cited the investigation released last week and requested details about "the scope of the information that has been shared, as well as the controls in place to protect the personally identifiable information of consumers." In addition, the letter asked HHS to release the names of all third party companies that received data from HealthCare.gov, as well as:

  • What data they receive;
  • How the data's use is restricted; and
  • How HHS makes sure the data are not being used commercially (Devaney, The Hill, 1/24; AP/Modern Healthcare, 1/24 [subscription required]; AP/The Oregonian, 1/23; Frates, CNN, 1/22).

Next in the Daily Briefing

Why one doctor started doing telemedicine full time

Read now