Analyst: Private Firms’ Access to Obamacare User Info 'Incomprehensible’

Allowing dozens of companies access to Obamacare users’ personal health care information was “digital overkill,” and compromised millions of Americans’ online security, an analyst told a congressional panel looking into the issue this month.

An Associated Press story revealed last month that the federal government had authorized as many as 50 private companies, including Google, Twitter and Facebook, to track and record healthcare.gov users’ information.

The Obama administration said the use of third party “data mining” is necessary to help understand who uses the site, as well as how and when they use it. That, in turn, they say, can help officials improve the site’s content, features, layout and security, as well as the overall “user experience.”

Data mining is the collection of information actively provided by website users, such as their name, age, marital status and income, as well as passive data, such as when they log in, and how long they stay on a particular website. The practice is widely used by web-focused companies and marketers that track and analyze online behavior and trends.

The administration’s goal to improve “user experience” may be laudable, said Morgan Wright, a cybersecurity expert with consulting firm Morgan Wright LLC. But it doesn’t explain why so many companies were given embedded connections to the site.

“The use of 50 companies to perform data mining is digital overkill and puts the [privacy and online security] of consumers at significant risk,” said Wright, who testified at the joint hearing of the House Science, Space and Technology Committee’s Research and Technology, and Oversight subcommittees.

Wright said the Obama administration’s decision to allow such access is especially worrisome considering the problems that have plagued healthcare.gov since its launch in October 2013. The site was beset by technical problems in its first weeks of operation, including numerous shutdowns that made it virtually impossible for anyone to sign up in its first week of operation. Then last summer, the site was hacked by someone who was able to implant it with malicious code. No personal information was stolen during the hack, and officials say the attack caused no long-term damage.

“Adding third-party applications without proper due diligence and compliance speaks to the continued lack of oversight and management of the security of the site,” Wright said. “Willfully or unintentionally ignoring established … security controls in order to [allow access by] 50 third parties is incomprehensible.”

Site ‘A Bit Lazy’

Both Republicans and Democrats expressed grave concerns about the government’s willingness to throw open the files of Obamacare users to private firms.

Rep. Don Beyer (D-Va.) asked another witness at the hearing if the decision to allow outside companies to plug into healthcare.com was an extension of the website’s botched design and launch, which involved an unusual number of contractors.

“We know how tortured the rollout was,” Beyer said, directing his comment to Michelle De Mooy, deputy director for consumer privacy at the Center for Democracy and Technology. “How much of this decision was connected to … having all these different firms trying to put Humpty Dumpty back together again.”

De Mooy said that while it’s hard to say with any certainty, a connection would not surprise her.

“When you hire a lot of outside vendors to work on one project, the communications can fall apart,” she said. “When I look at the site design, it looks a bit lazy, and [in a case like this] the easiest thing is to just allow rampant sharing.”

In response to a question from Beyer about the extent of personal information collected by the companies, Wright said it was limited to specific, though still sensitive, types of data like a user’s income, whether they are pregnant, and whether or not they smoke.

But with today’s technology, Wright said, even with names and addresses stripped from the data collected by these firms, other companies and outside groups need only a small amount of information to identify users.

“It’s gotten to the point now on the Internet where there’s so much data floating out there, it takes very small steps to create a profile on you, sir, to understand what you do, where you live, what your interests are,” Wright said.

He pointed to a recent study by MIT researchers that showed marketers can identify you “with more than 90 percent accuracy by looking at just four purchases, three if the price,” is included.

“And this is after companies ‘anonymized’ the transaction records,” Wright added.

Republicans Fuming

While Democrats were unhappy with the access granted private firms, Republicans were downright furious. Already champing at the bit to repeal the Affordable Care Act, GOP leaders pounced on the administration over the latest revelation, saying it is yet another example of a lack of leadership in the White House — and a disregard for citizens’ privacy.

Rep. Barbara Comstock (R-Va.), chairwoman of the Research and Technology subcommittee, noted that President Obama is expected to announce proposed updates to the nation’s privacy and cybersecurity regulations.

“This proposal was described as building on steps previously taken to ‘protect American companies, consumers, and infrastructure from cyber threats, while safeguarding privacy and civil liberties,’” Comstock quoted from the administration’s stated goals. “It seems to be that what the AP has reported and what the president expects of Americans may be in conflict or certainly raise legitimate concerns.”

Rep. Barry Loudermilk (R-Ga.), chairman of the Oversight Subcommittee, asked if the White House was even in the loop on the amount of access given to companies, noting that the administration has had a spotty record when it comes to overseeing the health care law’s implementation.

“Did the administration actually know and approve all of the companies that were connected to healthcare.gov?” asked Loudermilk.

What’s more, he asked, did the Centers for Medicaid and Medicare, which administers the site, have any safeguards in place to make sure the companies were not collecting unauthorized information or using website users’ personal data improperly?

The Obama administration has not said what precautions it did or did not take, only that the companies with embedded connections to healthcare.gov had to promise not to use such information for their own ends.

“I find what appears to be extensive tracking of Americans’ personal information extremely disconcerting and unnecessary.”

Since the AP story was published on Jan. 20, the number of companies with connections to the Obamacare site has dropped from the initial 50 to 11. That calls into question the administration’s explanation as to why it gave the companies access in the first place, Loudermilk said.

“The [administration] says this kind of data mining is necessary in order to improve users’ experience,” Loudermilk said. “But if that’s the case, I wonder why the number of embedded connections to the website has dropped significantly since the [AP] news story.”

Far From ‘Transparent’

Officials with the Centers for Medicare and Medicaid Services will say only that they will look into the data mining process and how it might use other means to get the information it says it needs to identify potential problems and improvements to the site.

De Mooy said the administration could set up its own data mining program.

“The government should be constrained about the sharing of personal data … and should consider doing analytics or retargeting of any kind in-house, in order to minimize privacy and security risks,” De Mooy said.

She added that the government’s privacy policies and practices also “should be highly transparent.” Those of healthcare.gov, she said, were anything but.

Not only did users of the site not authorize the collection of their personal data by private firms, they also didn’t know that collection was going on in the first place, De Mooy explained.

“Without an easy-to-implement option to opt-out,” she said, “users were effectively coerced into agreeing to share personal health information, a clear violation of their expectations.”