In today’s hyperconnected world, internet users are moving quickly from one website to another with clicks of a mouse.
And this can create problems.
The state’s health insurance exchange HealthSource RI, billed as a simple way for people to compare and enroll in federally subsidized health insurance plans, has been called out for allegedly allowing a contracted vendor to send health information to tech giant Google Inc. and using features that enable user tracking across the internet.
In June, the nonprofit news organizations CalMatters and The Markup audited the websites of the 19 states that independently operate health exchanges, concluding that those in Rhode Island, Massachusetts, Maine and Nevada had exposed visitors’ health information to companies such as Google, Meta Platforms Inc. and LinkedIn Corp.
But HealthSource RI says that individually identifiable health information wasn’t sent to third parties, and it refutes that it has done anything wrong.
Websites often contain advertising tracking technology used to either build individual advertising profiles, or they use “cookies” to profile users for ads, analytics or personalization.
The CalMatters and Markup report said that HealthSource RI shared prescription details, dosages and doctors’ names with Google. Meanwhile, the Massachusetts Health Connector told LinkedIn whether visitors said they were pregnant, blind or disabled.
Big tech has been inching its way into the profitable health care sector.
A CB Insights report noted that Google sees structured health data and artificial intelligence as central to the future of health care, and that the 2016 acquisition of Apigee for $625 million plays into that broader strategy.
At the same time, there are has been an increase of lawsuits – dubbed “pixel” litigation – filed by consumers claiming privacy-rights violations by the tech behemoths, says Linn Foster Freedman, former deputy chief of the civil division at the R.I. Office of Attorney General and now adjunct professor at Roger Williams University School of Law.
Freedman, who also chairs Robinson + Cole LLP’s data privacy and cybersecurity practice, says users of the seemingly secure sites need to be aware where they have landed.
“Hundreds of these cases have been filed around the country alleging that when you view a website, all of that information goes to these companies,” she said. “This is similar but not the same.”
Even if a third-party vendor hired by HSRI is using its own technology to prevent names and addresses from being leaked to big tech, companies such as Google “still [have] full access to that data,” Freedman said. Either way, “most people wouldn’t want Google to know what prescriptions they are on.
“This pixel litigation is in a formative phase,” Freedman said. Often, state governments find themselves playing catchup.
“The laws have not kept up with the technology,” she said. “And these lawsuits will help develop the laws around the use of this technology.”
But what many visitors may be unaware of is that the health insurance exchange uses the third-party vendor Consumers’ Checkbook – a nonprofit consumer advocacy organization – to run a separate site that allows visitors to explore available health care plans. CalMatters noted that this third-party site is “prominently linked” to HealthSource RI, with the exchange’s logo displayed at the top of the landing page.
But Christina O’Reilly, HealthSource RI spokesperson, says individually identifiable health information, such as names and addresses, wasn’t sent to third parties and the vendor uses Google Analytics to study trends but not to serve ads. It also disables Google Signals Data Collection, “ensuring that no data is shared with Google Ads for audience creation or ad personalization, and no session data is linked to Google’s advertising cookies or identifiers.”
Michael G. Tauber, a partner with the law firm Cameron & Mittleman LLP who focuses on Health Insurance Portability and Accountability Act compliance, wasn’t surprised that data may have been shifted to big tech companies or that Consumers’ Checkbook may have an interest in knowing everything it can about potential customers.
“Let’s say, for example, there’s a whole bunch of folks who are now needing treatment for COVID,” he said. “They’ve had their heads in the sand. So now let’s develop something we can market for that.”
Whether an organization is rubbing up against any legal issues is murkier, particularly in the realm of class-action litigation, according to Tauber.
“The question is, Can you demonstrate that you’ve been injured? Are you going to say I wasn’t aware I was no longer on the website?” he said.
Google’s information page states that the company’s tools should be used in compliance with the federal law that protects health data but it also notes, “Google makes no representations that Google Analytics satisfies HIPAA requirements.”
O’Reilly characterizes Consumers’ Checkbook as a tool that allows prospective customers to input their information “that may be vital to them in plan selection” to get an estimate of their health coverage costs and explore options that may suit them.
No session data is linked to Google’s advertising cookies or identifiers, but Consumers’ Checkbook does use Google Analytics tools to collect the fields of prescriptions and providers “to study trends in health coverage searches in aggregate to improve its own product,” O’Reilly said. But “the prescription and provider information entered is never associated with a customer name or other personally identifiable piece of information.”
She says the exchange is assured that Consumers’ Checkbook’s use of Google Analytics is “reasonable” and that the information held within its control is secure.
Consumers’ Checkbook and Google did not respond to requests for comment.
Between February 2021 and July 2024, the number of people enrolled in coverage through HSRI increased by 42% – from 30,388 to 43,098, “driven primarily by substantial growth in the number of households eligible for financial assistance,” according to HSRI.
Tauber says prospective enrollees need to read the fine print. And state health exchanges should keep a close eye on how they handle sensitive information.
“I’m fairly confident someone reading the information [on Consumers’ Checkbook] won’t distinguish between HealthSource and its contractor,” he said. “If the [HSRI] logo is there, there is an argument you are allowing your logo to be used. So, you’re in the soup here.”
