Covered California fails privacy test

Covered California - the state’s Affordable Care Act health insurance marketplace - gave enrollees’ sensitive personal information to the online networking platform LinkedIn, according to a report by CalMatters. That is a staggering violation of public trust and a potentially serious legal misstep.

People have become accustomed to hackers targeting their digital information. The revelation that a state agency actively participated in giving it away is profoundly worse.

Covered California embedded tracking technology on its website that transmitted the data to LinkedIn. This included not just obvious personal data like name, birth date and address but also details like whether individuals were blind, pregnant, transgender, used prescription medications or were potential victims of domestic abuse. Even information about doctor selections and hospital searches was reportedly shared with the company.

This wasn’t a case of shadowy cybercriminals breaching firewalls. California willingly fed sensitive data into the hands of a for-profit media company for advertising purposes. People who need affordable health insurance must provide so much information during the application process. The least the state could do is safeguard it.

Nearly 2 million Californians enroll through Covered California. Because the agency was so cavalier with their data, the state could face legal jeopardy on multiple fronts.

The state Confidentiality of Medical Information Act requires explicit permission before sharing medical information with third parties. Covered California obtained no such clear consent. The sheer volume and sensitivity of the data shared could provide grounds for legal challenges from privacy advocates and affected individuals.

Meanwhile, the California Consumer Privacy Act and California Privacy Rights Act give consumers control over their personal information, including the right to opt-out of its sale or sharing. It remains unclear whether Covered California provided all users with those options in a meaningful way.

If these state laws are so weak that even a state agency feels no obligation to comply with both their letter and spirit, lawmakers should look at beefing them up to better protect their constituents.

Perhaps the greatest legal risk comes not under state law but federal law. The Health Insurance Portability and Accountability Act might well apply to Covered California as a health insurance marketplace. If the information shared with LinkedIn counts as “protected health information,” or PHI, under the act, the state could be in big trouble. HIPAA generally requires patient authorization before sharing information. Anyone who has visited a doctor’s office in recent years likely signed a HIPAA consent form.

The U.S. Department of Health and Human Services explicitly warns against the sort of arrangement California had with LinkedIn. “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules. For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”

Covered California says it has disabled advertising-related tags and initiated a comprehensive review of its privacy and security protocols. That belated action does little to undo the damage already done. Only an independent, transparent investigation into how this egregious lapse in judgment occurred followed by real reforms can restore public trust and ensure such disclosures do not recur.