Information entered into the US government's health insurance website is being passed to companies such as Twitter, Yahoo and Google, according to a report from the Associated Press.
The data includes zip codes, income levels and information about whether people smoke or are pregnant, which users share on HealthCare.gov to get an estimate on the cost of an insurance plan.
The AP's findings were confirmed by the Electronic Frontier Foundation (EFF), which conducted its own tests on Tuesday, said Cooper Quintin, an EFF staff technologist, in a phone interview.
The EFF found that personal health information was sent to 14 third-party domains whose tracking programs are embedded in HealthCare.gov. The domains include those for social media and web analytics companies.
The health data is transmitted in two ways. All 14 domains receive the health data in a referrer, Quintin said. A referrer is information sent from a Web browser that lets another website know what site a person last visited.
In some other cases, the data is embedded in a request string that is sent to the tracking programs, Quintin said. For instance, Google's DoubleClick advertising service receives the data in that way, according to a blog post he wrote.
The worry is that those 14 third-party domains could collect the information and use it to identify users across the Internet for purposes such as targeted advertisements.
"This information, I would say, would be gold for any online advertising company," Quintin said.
There is no evidence that the companies that have trackers are misusing the information, however, and it's unclear if the data is being transmitted intentionally or as the result of an oversight by developers.
Quintin said trackers such as Twitter and YouTube may be there for HealthCare.gov's developers, or to make it easier for people to share content about health care on social media sites.
"I'd say most of these are probably on here just to make life easier for the web developers working on this," Quintin said. "But I think there are better ways to do all of these things which would still retain people's privacy."
The site's developers could make their own sharing button that doesn't link directly to Twitter, or run their own analytics software, Quintin said.
Officials with HealthCare.gov could not be immediately reached Tuesday evening.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.