Sensitive Health Data Shared by State Health Exchanges with Google, LinkedIn, Snapchat

Recent investigations by The Markup and CalMatters reveal that several state-run health care exchanges in the U.S. have been sharing sensitive personal health information with third-party tech companies like Google, LinkedIn, and Snapchat. These exchanges, designed under the Affordable Care Act to facilitate insurance shopping, collect detailed health data from users, including prescription drug names and dosages.

However, in four states—Nevada, Maine, Massachusetts, and Rhode Island—tracker technology embedded on their websites transmitted sensitive health data to external entities without explicit user consent.

Nevada's exchange, Nevada Health Link, was found sending real-time prescription information to LinkedIn and Snapchat, while Maine's CoverME.gov transmitted patient prescription details and healthcare provider names to Google via analytics tools. Rhode Island's HealthSource RI and Massachusetts Health Connector also shared similar categories of information with Google and LinkedIn, respectively.\n\nUpon exposure, states like Nevada and Massachusetts took steps to discontinue this data sharing. The Markup and CalMatters assessed all 19 states operating individual health exchanges and found nearly all used some form of website tracking, though only the four mentioned transmitted sensitive health information. Washington, D.C., notably employed no trackers at all. These third-party trackers serve marketing and analytics purposes, allowing exchanges to understand visitor demographics and target outreach efforts. Nevada indicated its use of such tools was intended to reach uninsured populations. However, privacy experts highlight that extensive use of third-party tech without thorough vetting poses compliance risks under regulations like HIPAA.

Health data privacy attorneys warn that state agencies may lack full visibility into how embedded trackers collect and disseminate users’ health information, potentially exposing consumers to unauthorized data use. 

While state exchanges claimed they do not share personally identifiable information, the integration of trackers that can cross-reference users with social media profiles raises concerns about indirect identification and targeted advertising based on health data. Representatives of tech companies involved emphasized that sending sensitive health data violates their policies and may breach legal standards. Google Analytics, LinkedIn, and Snapchat have all reiterated that their platforms are not intended to collect protected health information and have strict terms against such use.

Past incidents involving hospital websites sharing patient data with Meta and other platforms have led to congressional scrutiny, lawsuits, and regulatory fines, highlighting the ongoing challenges in safeguarding health data online. 

The Department of Health and Human Services continues to review guidelines on social media trackers in relation to HIPAA compliance, though legal interpretations remain in flux following court decisions.

The findings underscore a critical gap in regulatory oversight and agency compliance in managing sensitive consumer health data online. State exchanges and their vendors must enhance audit and data governance measures to ensure adherence to privacy and security requirements. This episode also alerts industry stakeholders—insurers, regulators, and compliance professionals—to the complexities of managing digital health data privacy amid evolving internet tracking technologies and legal frameworks.

Overall, this investigation reveals the nuanced risk of data leaks via embedded trackers on government health exchanges, emphasizing the necessity for more robust controls and transparency in digital health insurance marketplaces. It highlights the intersecting challenges of technology, policy, and compliance in protecting sensitive personal health information in publicly operated digital platforms.