California Health Insurance Exchange Sent Sensitive User Data to LinkedIn
The California health insurance exchange, Covered California, has been found to be sharing sensitive data with LinkedIn via website trackers, according to an investigation by The Markup.
Tracking code is used across the Internet. Website owners add the code to their websites to gain insights into user behavior. The providers of that code are often sent the data the tracking code collects, which may be information about the pages the user visited, how long they spent on each page, and how they navigated the website. In the case of an e-commerce website, that data may include a product that was added to the cart but was not purchased. The user can then be served adverts related to that product as they browse the web.
If tracking code is added to a web page that collects sensitive data, that information may also be transmitted to a third party. The Markup conducted a scan of the coveredca.com website, which is used by Californians to shop for health insurance, and identified 60 different trackers between February and March of this year. Out of all of those trackers, the LinkedIn Insight Tag tool transmitted the most data, and that tool had been added to web pages with forms that collect user data.
Some of that data was of a sensitive nature, such as is the user was blind, pregnant, transgender, a victim of domestic abuse, or if they used a high number of prescription medications. Other data sent to LinkedIn included the user’s marital status, ethnicity, and how often they visit a doctor. If the user conducted a search for a specific hospital, that information was shared with LinkedIn, as well as when they selected a doctor to see if they were covered under a health plan.
There are terms and conditions for using third-party tracking tools. For instance, LinkedIn and Meta clearly state that their tools should not be used on web pages that collect sensitive data, including pages that offer health-related services or products to consumers. According to LinkedIn, it does not allow advertisers to target ads based on sensitive data or categories.
According to The Markup, the trackers were removed from the site as the article revealing the disclosures was published, with Covered California informing The Markup that they were removed due to a marketing agency transition in early April. The data was apparently being transmitted to LinkedIn as part of an advertising campaign that had been running since February 2024. That means that anyone who used the website and completed the forms since February 2024 potentially had sensitive data shared with LinkedIn and other third parties without their knowledge.
Covered California confirmed to The Markup that “all active advertising-related tags across our website have been turned off out of an abundance of caution,” and a review of its website and information security and privacy protocols was conducted to ensure there is no impermissible sharing of sensitive data. The Markup has rerun its scan and says most of the tracking tools on the website have been removed, including Meta Pixel and third-party cookies.
A previous study by The Markup in 2022 found that the Department of Education was sending sensitive data to Meta (Facebook) when students applied for college financial aid, and one-third of hospitals were sending sensitive data to Meta, including information about appointments and data classed as protected health information under HIPAA.
