How California sent residents’ personal health data to LinkedIn

Sheldon Cooper/SOPA Images/LightRocket via Getty Images

Featured eBooks
AI, From Front Line to Back Office
Trust in Government
Chasing New Industry
Insights & Reports
Powering resilience: How utilities can stay ahead of evolving cyber threats
Presented By Splunk
Download Now
A Use Case Guide Splunk for the Public Sector
Presented By Splunk
Download Now
By Colin Lecher and Tomas Apodaca,
The Markup

By Colin Lecher and Tomas Apodaca,
The Markup

|

The state’s health insurance exchange transmitted pregnancy and domestic abuse data during a marketing campaign. It is reviewing its website practices.

This article was originally published on The Markup and was republished under the Creative Commons Attribution-NonCommercial-NoDerivatives license.

The website that lets Californians shop for health insurance under the Affordable Care Act, coveredca.com, has been sending sensitive data to LinkedIn, forensic testing by The Markup has revealed. 

As visitors filled out forms on the website, trackers on the same pages told LinkedIn their answers to questions about whether they were blind, pregnant, or used a high number of prescription medications. The trackers also monitored whether the visitors said they were transgender or possible victims of domestic abuse.

Covered California, the organization that operates the website, removed the trackers as The Markup and CalMatters reported this article. The organization said they were removed “due to a marketing agency transition” in early April. 

Related articles

Progressives seek health privacy protections in California, but Newsom could balk

As privacy conversations become mainstream, data protection laws gain traction

Survey: Few states have ‘established’ privacy program

In a statement, Kelly Donohue, a spokesperson for the agency, confirmed that data was sent to LinkedIn as part of an advertising campaign. Since  being informed of the tracking, “all active advertising-related tags across our website have been turned off out of an abundance of caution,” she added. 

“Covered California has initiated a review of our websites and information security and privacy protocols to ensure that no analytics tools are impermissibly sharing sensitive consumer information,” Donohue said, adding that they would “share additional findings as they become available, taking any necessary steps to safeguard the security and privacy of consumer data.”

Visitors who filled out health information on the site may have had their data tracked for more than a year, according to Donohue, who said the LinkedIn campaign began in February 2024. 

The Markup observed the trackers directly in February and March of this year. It confirmed most ad trackers, including the Meta “pixel” tracker, as well as all third-party cookies, have been removed from the site as of April 21. 

Since 2014, more than 50 million Americans have signed up for health insurance through state exchanges like Covered California. They were set up under the Affordable Care Act, signed into law by President Barack Obama 15 years ago. States can either operate their exchange websites in partnership with the federal government or independently, as California does

Covered California operates as an independent entity within the state government. Its board is appointed by the governor and Legislature. 

In March, Covered California announced that, after four years of increasing enrollment, a record of nearly 2 million people were covered by health insurance through the program. In all, the organization said, about one in six Californians were at one point enrolled through Covered California. Between 2014 and 2023, the uninsured rate fell from 17.2% to 6.4%, according to the organization, the largest drop of any state during that time period. This coincided with a series of eligibility expansions to Medi-Cal, the state’s health insurance program for lower-income households.

Experts expressed alarm at the idea that those millions of people could have had sensitive health data sent to a private company without their knowledge or consent. Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, said it was “concerning and invasive” for a health insurance website to be sending data that was “wholly irrelevant” to the uses of a for-profit company like LinkedIn.

“It’s unfortunate,” she said, “because people don't expect that their health information will be collected and used in this way.”

The LinkedIn Insight Tag

The Markup and CalMatters in recent months scanned for trackers on hundreds of California state and county government websites that offer services for undocumented immigrants using Blacklight, an automated tool developed by The Markup for auditing website trackers. 

The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined. 

On coveredca.com, trackers from well-known social media firms like Meta collected information on visitor page views, while lesser-known analytics and media campaign companies like email marketing company LiveIntent also followed users across the site. 

But by far the most sensitive information was transmitted to LinkedIn. 

While some of the data sent to LinkedIn was relatively innocuous, such as what pages were visited, Covered California also sent the company detailed information when visitors selected doctors to see if they were covered by a plan, including their specialization. The site also told LinkedIn if someone searched for a specific hospital.

 In addition to demographic information including gender, the site also shared details with LinkedIn when visitors selected their ethnicity and marital status, and when they told coveredca.com how often they saw doctors for surgery or outpatient treatment. 

LinkedIn, like other large social media firms, offers a way for websites to easily transmit data on their visitors through a tracking tool that the sites can place on their pages. In LinkedIn’s case, this tool is called the Insight Tag. By using the tag, businesses and other organizations can later target advertisements on LinkedIn to consumers that have already shown interest in their products or services. For an e-commerce site, a tracker on a page might be able to note when someone added a product to their cart, and the business can then send ads for that product to the same person on their social media feeds. 

A health care marketplace like Covered California might use the trackers to reach a group of people who might be interested in a reminder of a deadline for open health insurance enrollment, for example.

In its statement, Covered California noted the usefulness of these tools, saying the organization “leverages LinkedIn’s advertising platform tools to understand consumer behavior and deliver tailored messages to help them make informed decisions about their health care options.”

Trackers can also be valuable to the social media companies that offer them. In addition to driving ad sales, they provide an opportunity to gather information on visitors to websites other than their own.

On its informational page about the Insight Tag, LinkedIn places the burden on websites that employ the tag not to use it in risky situations. The tag “should not be installed on web pages that collect or contain Sensitive Data,” the page advises, including “pages offering specific health-related or financial services or products to consumers.”

LinkedIn spokesperson Brionna Ruff said in an emailed statement, “Our Ads Agreement and documentation expressly prohibit customers from installing the Insight Tag on web pages that collect or contain sensitive data, including pages offering health-related services.. We don’t allow advertisers to target ads based on sensitive data or categories.”

Legal Recourse

Collection of sensitive information by social media trackers has in previous instances led to removal of the trackers, lawsuits, and scrutiny by state and federal lawmakers.

For example, after The Markup in 2022 revealed the Department of Education sent personal information to Facebook when students applied for college financial aid online, the department turned off the sharing, faced questions from two members of Congress, and was sued by two advocacy groups who sought more information about the sharing. Other stories in the same series about trackers, known as the Pixel Hunt, also led to changes and blowback, including a crackdown by the Federal Trade Commission on telehealth companies transmitting personal information to companies including Meta and Google without user consent and proposed class action lawsuits over information shared through trackers with drug stores, health providers, and tax prep companies.

LinkedIn is already facing multiple proposed class-action lawsuits related to the collection of medical information. In October, three new lawsuits in California courts alleged that LinkedIn violated users’ privacy by collecting information on medical appointment sites, including for a fertility clinic. 

Social media companies’ tracking practices have underpinned the tremendous growth of the tech industry, but few web users are aware of how far the tracking goes. “This absolutely contradicts the expectation of the average consumer,” Geoghegan said. 

In California, a law called the California Confidentiality of Medical Information Act governs the privacy of medical information in the state. Under the act, consumers must give permission to some organizations before their medical information is disclosed to third parties. Companies have faced litigation under the law for using web tracking technologies, although those suits have not always been successful

Geoghegan said current protections like these don’t go far enough in helping consumers protect their sensitive data. 

“This is an exact example of why we need better protections,” she said of LinkedIn receiving the data. “This is sensitive health information that consumers expect to be protected and a lack of regulations is failing us.”

Originally published on themarkup.org

NEXT STORY: Ohio judge permanently blocks social media age verification law

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.