Healthcare exchanges in New England shared users' sensitive health data with companies like Google
The exchange websites ask users to answer a series of questions, including about their health histories, to find them the most relevant information on plans. But in some cases, when visitors responded to sensitive questions, the invisible trackers sent that information to platforms like Google,
Advertisement
The Markup and CalMatters audited the websites of all 19 states that independently operate their own online health exchange. While most of the sites contained advertising trackers of some kind, The Markup and CalMatters found that four states exposed visitors' sensitive health information.
Nevada's exchange, Nevada Health Link, asks visitors about what prescriptions they use, including the names and dosages of the drugs, to help them find their best options for health insurance. When visitors start typing, it suggests specific medications, including antidepressants, birth control and hormone therapies.
As visitors answered the questions, their responses were sent to LinkedIn and Snapchat, according to tests conducted by The Markup and CalMatters in April and May.
When an individual indicated that they took Fluoxetine, commonly known as Prozac, on Nevada Health Link, the information was sent to LinkedIn.
The Markup/CalMatters
On the other side of the country, Maine's exchange, CoverME.gov, sent information on drug prescriptions and dosages to Google through an analytics tool. It also sent the names of doctors and hospitals that people had previously visited.
Advertisement
Rhode Island's exchange, HealthSource RI, sent prescription information, dosages, and doctors' names to Google.
Massachusetts Health Connector, another exchange, told LinkedIn whether visitors said they were pregnant, blind, or disabled.
After being contacted by The Markup and CalMatters, Nevada's health exchange stopped sending visitors' data to Snapchat and Massachusetts stopped sending data to LinkedIn. Additionally, The Markup and CalMatters found that Nevada stopped sending data to LinkedIn in early May, as we were testing.
The Markup and CalMatters discovered the sharing after finding that California's exchange, Covered California,
Experts said state health exchanges' use of advertising trackers was troubling if not entirely surprising. Such tools can help organizations to reach visitors and tailor ads for them. Google Analytics allows website operators to better understand who is coming to their site and to optimize ad campaigns. The LinkedIn and Snap trackers, like a similar offering from Meta, help companies target their social media ads.
Nevada uses the trackers to help target marketing at uninsured residents, according to Russell Cook, Executive Director of the state agency that operates Nevada's exchange, Silver State Health Insurance Exchange.
But health care services need to be especially careful with those tools, said John Haskell, a data privacy attorney who has previously worked as an investigator for the Department of Health and Human Services.
'It doesn't surprise me that organizations that have these massive tech stacks that rely on third party-resources don't have a full understanding of what the configuration is, what the data flows are, and then once they go to somebody, what that data is being used for,' Haskell said. 'It's something that needs to be addressed.'
Advertisement
How was state exchange data tied to users' identities?
After
The Markup and CalMatters then examined websites operated by 18 states other than California, as well as Washington, D.C., to see what information they shared as users navigated them. The sites were established under the Affordable Care Act, which requires states to offer health insurance either through their own exchanges or one operated by the federal government.
To test them, we first ran the sites through
The results showed that 18 used some sort of tracker. Some were filled with them. Nevada, for example, used nearly 50. By contrast, Blacklight found no tracker of any kind on Washington, D.C.'s exchange. Popular websites use on average seven trackers, according to
Many of the sites used trackers in relatively innocuous ways, like counting page views.
The four exchanges we found sharing sensitive health data sent varied responses to questions about the tracking.
Advertisement
Cook said in a statement that trackers placed by his Nevada agency were 'inadvertently obtaining information regarding the name and dosage of prescription drugs' and sending it to LinkedIn and Snapchat.
Cook acknowledged such data was 'wholly irrelevant to our marketing efforts' and said it had disabled tracking software pending an audit.
Jason Lefferts, a spokesperson for Massachusetts Health Connector, said in a statement that 'personally identifiable information is not part of the tool's structure and no personally identifiable information, not even the IP addresses of users of the tool, has ever been shared with any party in any way via this tool.' But LinkedIn's
Spokespeople for the Rhode Island and Maine health exchanges said that they pay a vendor, Consumers' Checkbook, to run a separate site that allows visitors to explore what plans are available to them through their states' exchanges. It was from these sites that sensitive information was shared to Google. Consumers' Checkbook's sites are at different web addresses than the exchange sites, but are prominently linked to on the exchange sites and display identical branding like the state health exchange's logo, making it unlikely that an average visitor would realize they were no longer on a state-run domain.
Christina Spaight O'Reilly, a spokesperson for HealthSource RI, said the company uses Google Analytics to study trends but not to serve ads, and 'disables Google Signals Data Collection, ensuring that no data is shared with Google Ads for audience creation or ad personalization, and no session data is linked to Google's advertising cookies or identifiers.' HealthSource RI's terms of use mention the use of Google Analytics, she noted. A spokesperson for CoverME.gov made similar points, saying that the agency 'does not collect or retain any data entered into the tool.'
Advertisement
When an individual selected a doctor on HealthSource RI, the doctor's name was sent to Google Analytics.
The Markup/CalMatters
Consumers' Checkbook declined to comment beyond the exchanges' statements.
All of the exchanges said that individually identifiable health information, like names and addresses, wasn't sent to third parties. But the point of the trackers is to enhance information sent about a user with data the platforms already have on that user, and every tracker found by The Markup and CalMatters logged details about individual visitors, such as their operating system, browser, device, and times of visit.
In response to requests for comment, the tech companies whose trackers we examined uniformly said they do not want organizations sending them potentially sensitive health data, and that doing so is against their terms of use.
Steve Ganem, Director of Product Management for Google Analytics, said that 'by default any data sent to Google Analytics does not identify individuals, and we have strict policies against collecting Private Health Information or advertising based on sensitive information.' A spokesperson for LinkedIn, Brionna Ruff, said that advertisers are not allowed 'to target ads based on sensitive data categories,' such as health issues. A spokesperson for Snapchat owner Snap said the same, noting that sending purchases of supplies like prescriptions would run afoul of the company's rules about sensitive data.
Advertisement
'It is important to ensure that your implementation of Google Analytics and the data collected about visitors to your properties satisfies all applicable legal requirements,' the page reads.
More incidents
State exchanges aren't the only health sites that have sent medical information to social media companies.
In 2022,
In 2023, a New York hospital agreed to pay a $300,000 fine for violations of the Health Insurance Portability and Accountability Act, or HIPAA.
In response to a series of incidents, the
Some plaintiffs have used state laws, like those in California, to argue that they should be compensated for having their health data sent to third parties without consent. Others have argued that this kind of tracking runs afoul of
'Organizations aren't investing enough time and resources into properly vetting everything,' said Haskell, who advises clients to be very careful about the information they track on their sites. 'When organizations are saying, 'we didn't understand that there's a certain configuration of this tool that we're using,' well, I can't really
not
put that on you.'
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Hamilton Spectator
a day ago
- Hamilton Spectator
Quebec air ambulance company pays homage to four victims of helicopter crash
MONTREAL - The company that operated an air ambulance that crashed on Quebec's North Shore on June 20 is honouring the four victims who perished. Airmedic says three of its crew members died as heroes, along with an American patient. Four crew members and the patient were aboard the Airmedic helicopter when it went down in a remote area north of Natashquan, about 1,000 kilometres northeast of Montreal. The company described the patient as a quiet woman, entirely devoted to her family. One crew member survived, the body of another person was found on Monday, and the other three victims' bodies were recovered by provincial police on Wednesday. The Quebec coroner's office says the victims are Sébastien De Lutio, 50, from Lac-Beauport; Olivier Blouin, 25, from Pont-Rouge; Sébastien Groulx, 50, from Longueuil; and patient Claire Tripp, 78, from the U.S. state of Maine. On its website, Airmedic says its employees were faithful to their mission until the very last moment, and saluted their dedication, courage, and humanity. This report by The Canadian Press was first published June 27, 2025. Error! Sorry, there was an error processing your request. There was a problem with the recaptcha. Please try again. You may unsubscribe at any time. By signing up, you agree to our terms of use and privacy policy . This site is protected by reCAPTCHA and the Google privacy policy and terms of service apply. Want more of the latest from us? Sign up for more at our newsletter page .
Elle
2 days ago
- Elle
The Ultimate Guide to Exfoliation
Exfoliation is arguably one of the most complicated steps in my skin-care routine. I know I have to do it — lest I miss out on the bright, radiant complexion my collection of scrubs, acids, and tools promise me — but how often, when, and which methods I should be using remains elusive. I'm always somewhere between doing it too often and not enough — and I'm not alone. 'How to exfoliate your face' continues to be a popular Google search, and the endless SkincareAddiction Reddit threads dedicated to exfoliation routines (and what to do when you've taken it too far) tell a tale of glow-seeking enthusiasts who are just trying to get it right. No matter what method you use, the goal of exfoliating is to remove dead skin cells from the top layer of your skin with the hope of revealing a brighter, more radiant complexion underneath. 'Exfoliation can have significant benefits for your skin when done safely and correctly,' says board-certified dermatologist Tiffany Jow Libby, MD. In addition to brightening skin, exfoliation can help improve texture, assist in product absorption (which enhances their efficacy) and unclog pores. Shani Darden, an esthetician whose client roster includes glowy-skinned celebs like Kelly Rowland and Shay Mitchell agrees, recommending that every skin type stands to benefit from working this step into their routine. There's no set frequency for exfoliation. It truly depends on your skin type, the type of exfoliation, and the other products in your routine. If you're just getting started, Dr. Libby advises exfoliating one to two times a week — working up to three times if your skin can handle it — and adding in one product at a time. It's essential to listen to your skin and not overdo it, which can lead to redness and irritation. That means using one active at a time and alternating the days you use exfoliants and other active products like retinol. You should also be checking your products, to ensure you aren't doubling up on your exfoliation with realizing. There are two methods of exfoliation, mechanical and chemical. Mechanical exfoliation (sometimes called physical exfoliation) is the process of using a physical agent, and likely what pops into your mind. This includes scrubs, sponges, brushes, and services like dermaplaning. Chemical exfoliation uses acids like alpha- and beta-hydroxy acids and has grown in popularity in the past few years. Both Dr. Libby and Darden suggest sticking to chemical exfoliants as they're often just as effective and less harsh than a scrub can be. 'Start by using a cleanser once a week that contains chemical exfoliant ingredients like salicylic acid, glycolic acid, and lactic acid,' says Dr. Libby, increasing the frequency if your skin tolerates it well. If you have rosacea-prone, sensitive skin, Dr. Libby recommends using lactic acid, which tends to gentler and more hydrating. For acne-prone skin types, she likes salicylic acid because it's lipophilic (meaning it's attracted to oil), and excellent at getting deep into pores. If you can't tolerate either method of exfoliation, Darden suggests removing your cleanser with cotton gauze. 'The gauze will gently exfoliate the skin in the process, resulting in brighter skin. This is great for someone with really sensitive skin,' she shared. Here is a helpful guide to finding the best exfoliating products for your skin type. One way to tell if you've exfoliated too much is your skin feels 'squeaky clean.' That's a sign you may have over-cleansed or over-exfoliated, Dr. Libby warns. Skin that's been over-exfoliated will be dry, itchy, and generally irritated. If this happens, you should stop using any actives immediately and focus on hydrating the skin. Switch to a gentle cleanser and add a hyaluronic acid serum into your routine both morning and night. This will help your skin to attract moisture, and help repair the skin's natural moisture barrier. Ultimately, what your skin needs is time, so give yourself a lengthy break and add actives back in slowly. The skin on your body is thicker than the skin on your face and thus may tolerate physical exfoliation better. Darden swears by the Nyakio Kenyan Coffee Body Scrub as a weekly treatment, which she loves for the scent and the luxurious feeling it leaves behind. Dr. Libby, however, says sticking to chemical exfoliants for your body is best, and recommends using a wash formulated with acids. It might seem intuitive to exfoliate every inch of your body, but certain spots require extra caution. Dr. Libby warns against exfoliating the lips at all, pointing to the lack of oil glands and delicate, thin skin. This makes the lips more susceptible to water loss and damage she says, and recommends hydrating instead. Darden cautions exfoliating your neck and chest too often and being careful when you do. 'They can be more sensitive areas,' she shared, 'so you may not be able to exfoliate them as often as your face.'
Business Wire
3 days ago
- Business Wire
LegitScript Healthcare Merchant Certification Now Recognized by Google for Telemedicine Providers in the United Kingdom
PORTLAND, Ore.--(BUSINESS WIRE)-- LegitScript, the leader in merchant and product certification and monitoring in the advertising, e-commerce, and payment sectors, today announced its partnership with Google to certify telemedicine providers in the United Kingdom. The policy update means that telemedicine businesses operating in the UK can now apply for LegitScript Healthcare Certification, a required step for advertising their services on Google's platforms. LegitScript's Healthcare Certification provides a trusted pathway for telemedicine businesses to demonstrate compliance and transparency with regulators, the public, and third-party partners. This expansion represents a significant opportunity for telemedicine providers in the United Kingdom to build trust and brand awareness at a time when the industry, which is on a rapid trajectory, is becoming increasingly competitive. The total market revenue of the United Kingdom's telehealth industry is projected to increase from $2.43 billion to $7.55 billion by 2030, with an annual growth rate of 21.1%, according to Grand View Research. As digital-first healthcare delivery models continue to rise, it is essential that telemedicine advertising avenues remain safe, trustworthy, and compliant. 'As Google expands its advertising policies in the United Kingdom, we're collaborating to build a safer, more transparent online ecosystem not only for telemedicine providers, but for patients,' said Angela Salter, Director, Partnerships and Sales at LegitScript. 'This is a truly meaningful step forward in supporting platform integrity and trust while enabling legitimate, verified providers to reach patients who require care.' LegitScript's Healthcare Certification provides a trusted pathway for telemedicine businesses to demonstrate compliance and transparency with regulators, the public, and third-party partners. LegitScript Certification is included within the approval process for conducting card-not-present transactions with Visa and Mastercard, and it is a requirement for many online platforms. Google's policy update now makes it possible for UK-based telemedicine providers to expand their reach by advertising on the world's most popular online ad platform. 'Healthcare is a complex, heavily regulated industry, especially as it becomes increasingly digitized and businesses operate across various jurisdictions,' Salter said. 'LegitScript helps providers avoid inadvertent noncompliance and stay current with regulatory changes to help them access top-tier advertising platforms like Google, maintain crucial access to key payment processing networks, and most importantly, secure the trust of patients and their families.' To learn more about LegitScript's Healthcare Certification program, download the application checklist, and begin the application process, visit: For more details on Google's advertising policies and to stay up to date with changes, visit the Google Ad Policy Change Log homepage. About LegitScript LegitScript, the global leader in Enterprise Risk Management Solutions, is trusted by the world's largest search engines, e-commerce marketplaces, payment service providers, and social media platforms. By combining advanced, AI-driven technology with deep domain expertise and curated market intelligence, LegitScript empowers businesses to stay ahead of emerging threats and seize new growth opportunities with precision and speed. Our global team of regulatory experts and analysts is skilled at understanding global regulatory changes and assessing risk across products, websites, merchants, and platforms, providing clients with unmatched accuracy, actionable insights, and exceptional support.
