Added protections for consumer information on health website

By JACK GILLUM and RICARDO ALONSO-ZALDIVAR
January 24, 2015 7:12 PM

WASHINGTON (AP) — The Obama administration appears to be making broader changes to protect consumer information on the government's health insurance website, after objections from lawmakers and privacy advocates.

The Associated Press reported last week that details such as consumers' income and tobacco use were going to private companies with a commercial interest in such data.

AP also reported that a number of companies had embedded connections on HealthCare.gov, raising privacy and security issues for some tech experts.

An independent analysis of the health care website, released Saturday, showed that the number of embedded connections to private companies had dropped from 50 to 30.

Those changes accompanied another shift by the administration to curtail the release of specific personal information from the website. The AP reported that change Friday.

After failing to respond to interview requests, the administration posted a statement Saturday evening. HealthCare.gov CEO Kevin Counihan acknowledged that privacy questions have been raised, and added: "We are looking at whether there are additional steps we should take to improve our efforts. While this process is ongoing, we have taken action that we believe helps further increase consumer privacy."

Officials have said the sole purpose of embedded connections to private companies was to monitor HealthCare.gov and improve performance for consumers.

The episode could become a blemish on what's otherwise shaping up as a successful open enrollment season for the second year of expanded coverage under President Barack Obama's health care law.

Lawmakers continue to insist on a full explanation.

HealthCare.gov is used by millions to sign up for subsidized private coverage under the law, or to merely browse for insurance plans in their communities.

The changes by the administration mean that the website is no longer explicitly sending out such details as age, income, ZIP code, tobacco use and whether a woman is pregnant.

An independent tech expert said Saturday that a new analysis by his firm also found a sharp drop in the number of embedded connections to outside companies.

Mehdi Daoudi, CEO of Catchpoint Systems, which measures website performance, said that was down from 50 to 30 such connections. Catchpoint had previously analyzed the performance of HealthCare.gov for AP, and found the site was much improved. But Daoudi had raised questions about the high number of third-party connections.

Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, a civil liberties group, said the changes are "a great first step," but more needs to be done.

For example, the health site should disable third-party tracking for people who enable the "do not track" feature on their web browsers. "HealthCare.gov should meet good privacy standards for all its users," he said.

Privacy advocates say the mere presence of connections to private companies on the government's website — even if they don't explicitly receive personal data — should be examined because of their ability to reveal sensitive information about a user.

Administration officials did not answer AP's questions about how the government monitors the outside companies. They only said that third parties must agree they will not use the information for their own business purposes.

Third-party outfits that track website performance are a standard part of e-commerce. It's a lucrative business, helping Google, Facebook and others tailor ads to customers' interests. Because your computer and mobile devices can be assigned an individual signature, profiles of Internet users can be pieced together, generating lists that have commercial value.

The third-parties embedded on HealthCare.gov can't see your name, birth date or Social Security number. But they may be able to correlate the fact that your computer accessed the government website with your other Internet activities.

Have you been researching a chronic illness such as coronary artery blockage? Do you shop online for smoking-cessation aids? Are you investigating genetic markers for a certain type of breast cancer? Are you seeking help for financial problems, or for an addiction?

Google told the AP it doesn't allow its systems to target ads based on medical information.

After AP's first report, Sens. Orrin Hatch, R-Utah, and Chuck Grassley, R-Iowa, called the situation "extremely concerning" for consumers. Grassley said Friday it's still unclear how consumers' information is being used and he wants a full explanation.

Officials at the Department of Health and Human Services had at first defended their information-sharing practices. There is no evidence that consumers' personal information was misused, they said.

The website's privacy policy says in boldface type that no "personally identifiable information" is collected by outside Web measurement tools. That is a term defined in government regulations, but other personal details were being allowed through.

HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job. It serves 37 states, while the remaining states operate their own insurance markets. The privacy concerns surfaced just as the president was calling for stronger Internet safeguards for consumers, in his State of the Union speech.

The website was crippled by serious technical problems when it made its debut in the fall of 2013. This year it has worked much better, a marked contrast. The administration is aiming to have more than 9 million people signed up by Feb. 15, the last day of open enrollment.

But the privacy issues were a reminder that the website remains a work in progress, like the underlying law that created it.