The Asso­ci­at­ed Press reports that healthcare.gov–the flag­ship site of the Afford­able Care Act, where mil­lions of Amer­i­cans have signed up to receive health care–is qui­et­ly send­ing per­son­al health infor­ma­tion to a num­ber of third par­ty web­sites. The infor­ma­tion being sent includes one’s zip code, income lev­el, smok­ing sta­tus, preg­nan­cy sta­tus and more.

EFF researchers have inde­pen­dent­ly con­firmed that healthcare.gov is send­ing per­son­al health infor­ma­tion to at least 14 third par­ty domains, even if the user has enabled Do Not Track. The infor­ma­tion is sent via the refer­rer head­er, which con­tains the URL of the page request­ing a third par­ty resource. The refer­rer head­er is an essen­tial part of the HTTP pro­to­col, and is sent for every request that is made on the web. The refer­rer head­er lets the request­ed resource know what URL the request came from. This would for exam­ple let a web­site know who else was link­ing to their pages. In this case how­ev­er the refer­rer URL con­tains per­son­al health information.

In some cas­es the infor­ma­tion is also sent embed­ded in the request string itself, like so:

https://4037109.fls.doubleclick.net/activityi;src=4037109;
type=20142003;cat=201420;ord=7917385912018;~oref=https://
healthcare.gov/see-plans/85601/results/?county=04019&age=40& smoker=1&parent=&pregnant=1&mec=&zip=85601&state=AZ&income=35000& &step=4?

In the above exam­ple, a URL at doubleclick.net is request­ed by your brows­er. Append­ed to the end of this URL is your age, smok­ing sta­tus, pre­gana­cy sta­tus, parental sta­tus, zip code, state and annu­al income. This URL is request­ed by your brows­er after you fill out the required infor­ma­tion on healthcare.gov and click the but­ton to view health insur­ance plans that you are eli­gi­ble for.

The fol­low­ing is a table show­ing which third par­ty domains EFF researchers con­firmed were receiv­ing the pri­vate health data.

Domain                         PII in refer­rer                            PII in request
Akamai.net                     ✓

Chartbeat.net                 ✓                                                     ✓

Clicktale.net                    ✓

Doubleclick.net               ✓                                                     ✓

Google.com                     ✓                                                      ✓

Mathtag.com                  ✓

Mixpanel.com                 ✓

Nrd-data.net                  ✓

Optimizely.com              ✓                                                     ✓

Reson8.com                    ✓

Rfihub.com                     ✓

Twitter.com                   ✓

Yahoo.com                      ✓

Youtube.com                  ✓

Send­ing such per­son­al infor­ma­tion rais­es sig­nif­i­cant pri­va­cy con­cerns. A com­pa­ny like Dou­bleclick, for exam­ple, could match up the per­son­al data pro­vid­ed by healthcare.gov with an already exten­sive trove of infor­ma­tion about what you read online and what your buy­ing pref­er­ences are to cre­ate an extreme­ly detailed pro­file of exact­ly who you are and what your inter­ests are. It could do all this based on a track­ing cook­ie that it sets which would be the same across any site you vis­it. Based on this data, Dou­bleclick could start show­ing you smok­ing ads or infer your risk of can­cer based on where you live, how old you are and your sta­tus as a smok­er. Dou­bleclick might start to show you ads relat­ed to preg­nan­cy, which could have embar­rass­ing and poten­tial­ly dan­ger­ous con­se­quences such as when Tar­get noti­fied a wom­an’s fam­i­ly that she was preg­nant before she even told them.

It’s espe­cial­ly trou­bling that the U.S. gov­ern­ment is send­ing per­son­al infor­ma­tion to com­mer­cial com­pa­nies on a web­site that’s tout­ed as the place for peo­ple to obtain health care cov­er­age. Even more trou­bling is the poten­tial for com­pa­nies like Dou­bleclick, Google, Twit­ter, Yahoo, and oth­ers to asso­ciate this data with a per­son­’s actu­al iden­ti­ty. Google, thanks to real name poli­cies, cer­tain­ly has infor­ma­tion unique­ly iden­ti­fy­ing some­one using Google ser­vices. If a real iden­ti­ty is linked to the infor­ma­tion received from healthcare.gov it would be a mas­sive vio­la­tion of pri­va­cy for users of the site.

Third-par­ty resources could also intro­duce addi­tion­al secu­ri­ty risks to the healthcare.gov web­site, with each includ­ed third-par­ty resource increas­ing the attack sur­face of the site. If an attack­er were able to com­pro­mise just one of the third par­ty resources includ­ed on healthcare.gov they could poten­tial­ly com­pro­mise the accounts of every user of healthcare.gov. The attack­er could then sell the Pri­vate Health Infor­ma­tion or hold it for ransom.

For now, EFF rec­om­mends installing soft­ware that will block third par­ty track­ing, such as EFF’s own Pri­va­cy Bad­ger. Pri­va­cy bad­ger will block the refer­rers and the con­nec­tions to third par­ty sites on healthcare.gov and pro­tect your per­son­al health information.

Health infor­ma­tion is some of the most sen­si­tive and per­son­al infor­ma­tion there is. Peo­ple’s pri­vate med­ical data should not be avail­able to third par­ty com­pa­nies with­out con­sent from the user. This prac­tice is neg­li­gent at best, and poten­tial­ly dev­as­tat­ing for con­sumers. At a miminum, healthcare.gov should dis­able third-par­ty track­ers for any user that requests an opt out using the DNT head­er. Arguably, healthcare.gov should meet good pri­va­cy stan­dards for all its users.

Pres­i­dent Oba­ma will give his State of the Union speech tonight, in which he is expect­ed to address cyber­se­cu­ri­ty issues. If Pres­i­dent Oba­ma is real­ly con­cerned about cyber­se­cu­ri­ty, he may want to start in his own back­yard, by secur­ing healthcare.gov.