By TOMAS APODACA And Colin LecherCalm
!["Illustration]("https://i0.wp.com/calmatters.org/wp-content/uploads/2025/04/042425-COVERED-CA-BUG-GH-CM.jpg?fit=1200%2C800&ssl=1")
This story was initially published by Calm. Register For their newsletters.
The website which allows Californians to buy health insurance under the Act respecting affordable care, Coveredca.com, revealed sensitive LinkedIn data, revealed forensic tests.
While visitors have completed forms on the website, trackers on the same pages told Linkedin their answers to questions to find out if they were blind, pregnant or used a high number of prescription drugs. Trackers also watched if visitors said they were transgender or any victims of domestic violence. (See data on our GitHub deposit.)
Covered in California, the organization that operates the website, deleted trackers in the form of calm and markings reported this article. The organization said it was deleted “due to a marketing agency transition” in early April.
In a press release, Kelly Donohue, agency spokesperson, confirmed that the data had been sent to LinkedIn as part of an advertising campaign. Since he was informed of follow-up, “all labels related to active advertising on our website have been discouraged by an abundance of prudence,” she added.
“Covered California has launched an examination of our websites and our information and confidentiality of information protocols to ensure that no analysis tool in an imperpritable consumer information shares,” said Donohue, adding that they “would share additional results as they become available, taking the necessary measures to protect the security and confidentiality of consumer data”.
Visitors who have completed information on health on the site may have made their data followed for more than a year, according to Donohue, who said that the LinkedIn Campaign started in February 2024.
Calmatters observed trackers directly in February and March this year. He confirmed that most advertising trackers, including Tracker Meta “Pixel”, as well as all third -party cookies, were removed from the site on April 21.
Since 2014, more than 50 million Americans have registered For health insurance through state exchanges like California. They were installed under the ActSigned by President Barack Obama 15 years ago. States can either operate their exchange websites in partnership with the federal government or independently, As California does.
Covered California operates as an independent entity within the State government. It is advice is appointed by the governor and the legislator.
In March, Covered California has announced This, after four years of growing registration, a record of almost 2 million people was covered by health insurance through the program. In total, the organization said that around one in six Californians was at some point through covered California. Between 2014 and 2023, the uninsured rate increased from 17.2% to 6.4%, according to the organization, the greatest drop in any state during this period. This coincided with an eligibility series Extensions to MedicalThe state health insurance program for low -income households.
Experts have alarmed themselves to the idea that these millions of people could have sent sensitive health data to a private company without their knowledge or their consent. Sara Geoghegan, main lawyer of the Electronic Privacy Information Center, said that he was “worrying and invasive” that a health insurance website sent “totally out of words” data to the use of a for -profit business like LinkedIn.
“It is regrettable,” she said, “because people do not expect their health information to be collected and used in this way.”
The LinkedIn Insight tag
Calmatters and the markup in recent months have been digitized for trackers on hundreds of websites from the California government and county which offer services to undocumented immigrants using BlacklightAn automated tool developed by markings for websites audit.
“People do not expect their health information to be collected and used in this way.”
Sara Geoghegan, main lawyer at the Electronic Privacy Information Center
Calmatters noted that covered California had more than 60 trackers on its site. On more than 200 government sites, the average number of trackers on the sites was three. California covered had tens more than any other website that we have examined.
On Coverca.com, followers of well-known social media companies like Meta have collected information on the pages viewed of visitors, while less known media analysis and media campaigns like marketing company by E-mail Inteenting also followed the users of the site.
But by far the most sensitive information has been transmitted to LinkedIn.
While some of the data sent to LinkedIn was relatively harmless, such as the pages visited, covered California also sent detailed information to the company when visitors have selected doctors to see if they were covered by a plan, including their specialization. The site also told LinkedIn if someone had sought a specific hospital.
In addition to demographic information, especially sex, the site also shared details with LinkedIn when visitors have selected their ethnicity and matrimonial state, and when they said to Covereca.com how often they saw doctors for surgery or ambulatory treatment.
Linkedin, like other large social media companies, offers a way for websites to easily transmit data on their visitors via a monitoring tool that sites can place on their pages. In the case of LinkedIn, this The tool is called the insistence tag. By using the tag, companies and other organizations can subsequent target advertisements On LinkedIn to consumers who have already expressed their interest in their products or services. For an e -commerce site, a tracker on a page may be able to note when someone has added a product to their basket, and the company can then send announcements for this product to the same person on its social media flows.
A health care market like covered California could use trackers to reach a group of people who could be interested in a reminder of a deadline for registration for open health insurance, for example.
In his declaration, Covered California noted the usefulness of these tools, claiming that the organization “exploits LinkedIn’s advertising platform tools to understand consumer behavior and deliver tailor-made messages to help them make informed decisions on their health care options.”
Trackers can also be precious for social media societies that offer them. In addition to driving ads, they offer the opportunity to collect information on visitors to websites other than their own.
On His information page About the Insight tag, LinkedIn exercises the burden of websites that use the tag so as not to use it in risky situations. The “should not be installed on the web pages that collect or contain sensitive data”, advises the page, including “pages offering services or financial products related to health or specific consumers”.
Linkedin spokesperson Brionna Ruff said in a statement sent by e-mail: “Our announcement agreement and our documentation expressly prohibit customers from installing the web pages on web pages that collect or contain sensitive data, including pages offering health-related services. We do not allow advertisers to target announcements based on sensitive data or categories. ”
Legal appeal
The collection of sensitive information by social media trackers has in the previous cases has led to the abolition of trackers, prosecution and meticulous examination by state legislators and federal legislators.
For example, after markings in 2022 revealed that the Ministry of Education has sent personal information to Facebook When students asked for financial assistance at online college, the department has disabled sharing, faced questions two members of the Congress, and was pursued by two plea groups who looked for more information on sharing. Other stories in the same thing Series on trackers, known as Pixel Hunthas also led to changes and a return of flame, including a Repression by the Federal Trade Commission On teleheal companies transmitting personal information to companies, including Meta and Google without consent of users and collective remedies offered on the information shared through followers with Pharmacies, health providersAnd Tax preparation companies.
Linkedin is already faced with several proposed collective remedies linked to the collection of medical information. In October, Three new prosecution in the courts of California have alleged That LinkedIn has violated the confidentiality of users by collecting information on medical appointments, including for a fertility clinic.
Social media monitoring practices have supported the enormous growth of the technology industry, but few web users are aware of the tracking path. “This absolutely contradicts the expectation of the average consumer,” said Geoghegan.
In California, a law called California Confidentiality of Medical Information Act governs the confidentiality of medical information in the state. Under the law, consumers must authorize certain organizations before their medical information is disclosed to third parties. Companies have experienced disputes under the law for the use of web follow -up technologies, although these combinations have not always successful.
Geoghegan said that current protections like these are not far enough to help consumers protect their sensitive data.
“This is an exact example of the reason why we need better protections,” she said about Linkedin receiving data. “This is sensitive health information that consumers expect to be protected and a lack of regulation we lack.”
This article was Originally published on Calmatters and was republished under the Assignment of creative-noderivatives-noderivatives license.