Latest news with #TheMarkup
USA Today
17-06-2025
- Health
- USA Today
Why are these health-care websites sharing sensitive info with LinkedIn and Snapchat?
Why are these health-care websites sharing sensitive info with LinkedIn and Snapchat? This story was originally published by The Markup, now a part of CalMatters. Sign up for their health care websites around the country, meant to provide a simple way to shop for insurance, have been quietly sending visitors' sensitive health information to Google and social media companies, The Markup and CalMatters found. The data, including prescription drug names and dosages, was sent by web trackers on state exchanges set up under the Affordable Care Act to help Americans purchase health coverage. The exchange websites ask users to answer a series of questions, including about their health histories, to find them the most relevant information on plans. But in some cases, when visitors responded to sensitive questions, the invisible trackers sent that information to platforms like Google, LinkedIn, and Snapchat. The Markup and CalMatters audited the websites of all 19 states that independently operate their own online health exchange. While most of the sites contained advertising trackers of some kind, The Markup and CalMatters found that four states exposed visitors' sensitive health exchange, Nevada Health Link, asks visitors about what prescriptions they use, including the names and dosages of the drugs, to help them find their best options for health insurance. When visitors start typing, it suggests specific medications, including antidepressants, birth control and hormone therapies. As visitors answered the questions, their responses were sent to LinkedIn and Snapchat, according to tests conducted by The Markup and CalMatters in April and May. Spend your money smart: Sign up for USA TODAY's Daily Money newsletter. On the other side of the country, Maine's exchange, sent information on drug prescriptions and dosages to Google through an analytics tool. It also sent the names of doctors and hospitals that people had previously visited. Rhode Island's exchange, HealthSource RI, sent prescription information, dosages, and doctors' names to Google. Massachusetts Health Connector, another exchange, told LinkedIn whether visitors said they were pregnant, blind, or disabled. After being contacted by The Markup and CalMatters, Nevada's health exchange stopped sending visitors' data to Snapchat and Massachusetts stopped sending data to LinkedIn. Additionally, The Markup and CalMatters found that Nevada stopped sending data to LinkedIn in early May, as testing was happening. The Markup and CalMatters discovered the sharing after finding that California's exchange, Covered California, told LinkedIn when a visitor indicated they were blind, pregnant, or a victim of domestic violence. Experts said state health exchanges' use of advertising trackers was troubling if not entirely surprising. Such tools can help organizations to reach visitors and tailor ads for them. Google Analytics allows website operators to better understand who is coming to their site and to optimize ad campaigns. The LinkedIn and Snap trackers, like a similar offering from Meta, help companies target their social media ads. Nevada uses the trackers to help target marketing at uninsured residents, according to Russell Cook, Executive Director of the state agency that operates Nevada's exchange, Silver State Health Insurance Exchange. But health care services need to be especially careful with those tools, said John Haskell, a data privacy attorney who has previously worked as an investigator for the Department of Health and Human Services. 'It doesn't surprise me that organizations that have these massive tech stacks that rely on third party-resources don't have a full understanding of what the configuration is, what the data flows are, and then once they go to somebody, what that data is being used for,' Haskell said. 'It's something that needs to be addressed.' How was state exchange data tied to users' identities? After The Markup and CalMatters reported on Covered California's sharing of health data with LinkedIn, the exchange removed its trackers and said it would review its data practices. The news triggered a class-action lawsuit and questions from federal lawmakers. The Markup and CalMatters then examined websites operated by 18 states other than California, as well as Washington, D.C., to see what information they shared as users navigated them. The sites were established under the Affordable Care Act, which requires states to offer health insurance either through their own exchanges or one operated by the federal government. To test them, The Markup and CalMatters first ran the sites through Blacklight, a tool we developed to reveal web trackers. We then reviewed network traffic on the sites to see what data the trackers received when visitors filled out forms. The results showed that 18 used some sort of tracker. Some were filled with them. Nevada, for example, used nearly 50. By contrast, Blacklight found no tracker of any kind on Washington, D.C.'s exchange. Popular websites use on average seven trackers, according to Blacklight scans of the 100,000 most trafficked sites on the web. Many of the sites used trackers in relatively innocuous ways, like counting page views. The four exchanges The Markup and CalMatters found sharing sensitive health data sent varied responses to questions about the tracking. Cook said in a statement that trackers placed by his Nevada agency were 'inadvertently obtaining information regarding the name and dosage of prescription drugs' and sending it to LinkedIn and Snapchat. Cook acknowledged such data was 'wholly irrelevant to our marketing efforts' and said it had disabled tracking software pending an audit. Jason Lefferts, a spokesperson for Massachusetts Health Connector, said in a statement that 'personally identifiable information is not part of the tool's structure and no personally identifiable information, not even the IP addresses of users of the tool, has ever been shared with any party in any way via this tool." But LinkedIn's tracker documentation makes clear that it correlates the information it receives with specific LinkedIn accounts so companies can use the data for features like retargeting website visitors. The company's documentation also states it later obscures this information and eventually deletes it. Spokespeople for the Rhode Island and Maine health exchanges said that they pay a vendor, Consumers' Checkbook, to run a separate site that allows visitors to explore what plans are available to them through their states' exchanges. It was from these sites that sensitive information was shared to Google. Consumers' Checkbook's sites are at different web addresses than the exchange sites, but are prominently linked to on the exchange sites and display identical branding like the state health exchange's logo, making it unlikely that an average visitor would realize they were no longer on a state-run domain. Christina Spaight O'Reilly, a spokesperson for HealthSource RI, said the company uses Google Analytics to study trends but not to serve ads, and 'disables Google Signals Data Collection, ensuring that no data is shared with Google Ads for audience creation or ad personalization, and no session data is linked to Google's advertising cookies or identifiers.' HealthSource RI's terms of use mention the use of Google Analytics, she noted. A spokesperson for made similar points, saying that the agency 'does not collect or retain any data entered into the tool.' Consumers' Checkbook declined to comment beyond the exchanges' statements. All of the exchanges said that individually identifiable health information, like names and addresses, wasn't sent to third parties. But the point of the trackers is to enhance information sent about a user with data the platforms already have on that user, and every tracker found by The Markup and CalMatters logged details about individual visitors, such as their operating system, browser, device, and times of visit. In response to requests for comment, the tech companies whose trackers were examined uniformly said they do not want organizations sending them potentially sensitive health data, and that doing so is against their terms of use. Steve Ganem, Director of Product Management for Google Analytics, said that 'by default any data sent to Google Analytics does not identify individuals, and we have strict policies against collecting Private Health Information or advertising based on sensitive information.' A spokesperson for LinkedIn, Brionna Ruff, said that advertisers are not allowed 'to target ads based on sensitive data categories,' such as health issues. A spokesperson for Snapchat owner Snap said the same, noting that sending purchases of supplies like prescriptions would run afoul of the company's rules about sensitive data. A Google Analytics information page specifically discusses how organizations that use the company's tools should comply with the Health Insurance Portability and Accountability Act, which protects health data. The page notes that 'Google makes no representations that Google Analytics satisfies HIPAA requirements.' 'It is important to ensure that your implementation of Google Analytics and the data collected about visitors to your properties satisfies all applicable legal requirements,' the page reads. More incidents State exchanges aren't the only health sites that have sent medical information to social media companies. In 2022, The Markup revealed that dozens of hospital websites shared information with Facebook's parent company, Meta, through a tool called the Meta Pixel. The hospitals faced scrutiny from Congress and legal action. Another Markup investigation found trackers logging information about online drugstore visitors purchasing HIV tests and Plan B. In 2023, a New York hospital agreed to pay a $300,000 fine for violations of the Health Insurance Portability and Accountability Act, or response to a series of incidents, the Department of Health and Human Services said in 2023 that use of social media trackers to log health information could violate HIPAA, although recent court decisions have narrowed how the law can be applied against companies that use those trackers. Some plaintiffs have used state laws, like those in California, to argue that they should be compensated for having their health data sent to third parties without consent. Others have argued that this kind of tracking runs afoul of wiretapping or even racketeering laws. 'Organizations aren't investing enough time and resources into properly vetting everything,' said Haskell, who advises clients to be very careful about the information they track on their sites. 'When organizations are saying, 'we didn't understand that there's a certain configuration of this tool that we're using,' well, I can't really not put that on you.'
USA Today
17-06-2025
- Health
- USA Today
This is how you stop online trackers from collecting your health data
This is how you stop online trackers from collecting your health data Show Caption Hide Caption Privacy at risk as Trump expands surveillance. Here's what we know. The Trump administration is expanding government surveillance with Big Tech's help. Here's what we know now about what's being tracked. This story was originally published by The Markup, now a part of CalMatters. Sign up for their April, The Markup and CalMatters found that Covered California, the state of California's healthcare exchange, was sending the personal health information of its users to LinkedIn. The news triggered a class-action lawsuit and questions from federal lawmakers. In June, a Markup investigation further revealed that exchanges maintained by four other states have also leaked visitors' sensitive health data. Readers have asked: Is there anything I can do to stop my information from being leaked this way? The answer is yes. The trackers we found on health exchanges are extremely common and are used by the world's most popular websites. We've found them on websites people use to prepare for college, do their taxes, get a mortgage, or report a mental health crisis. Good news is, you can block many, if not all of these trackers with just a few steps. What's happening with our health data? The owners of the health exchange websites use services provided by tech companies like LinkedIn, Google and Snapchat to track user activity and to target advertising. To make this possible, website owners install and configure code provided by the tech companies on their pages. This code is called a 'tracker.' When you load a page, the tracker code runs, collecting data and sending it to the tech companies' servers. This data can be anything from a profile of the device and browser you're using to every word you type into a form. The tracker can also read and write cookies, which can follow you across multiple websites. How can I protect my data from these trackers? Because the data is being collected and sent by your browser, you can exercise some control over it. Here are the options we've tested that have successfully blocked the trackers: 1. Change your settings to block more trackersSome browsers block many trackers by default and are capable of blocking more. If you're using Safari, using 'Advanced Tracking and Fingerprinting Protection' will block the trackers we found. In desktop Firefox, upping your 'Enhanced Tracking Protection' level from 'Standard' to 'Strict' will do the trick. In Chrome and other browsers, blocking third-party cookies won't stop the trackers from sending your data, but it will make it harder to link that data to you. 2. Install a privacy-protecting browser extensionIf you're using a desktop browser, one straightforward solution is to install a privacy-protecting browser extension. We tested Privacy Badger and uBlock Origin Lite and confirmed that they both blocked the trackers from LinkedIn, Snapchat, and Google that we examined in our stories. 3. Switch to a new browserChrome and Safari, the browsers most people use, don't stop all the trackers we found from sharing your data out of the box. If you don't want to change your settings as suggested above, installing a new, privacy-focused browser is what we recommend. In our tests, the Brave and DuckDuckGo browsers blocked the trackers we profiled. (Full disclosure: DuckDuckGo has donated to The Markup.) What doesn't work to block these trackers? Using a Virtual Private Network (VPN) will not block these trackers. VPN services are handy for obscuring your location, which is a key detail that data brokers use to identify individuals. Unfortunately, a VPN won't stop the trackers from reading and writing cookies and sharing details about your device, browser, and activity on the site. Also, VPNs can have their own issues with data sharing. Browsing in 'private' or 'incognito' mode will not block these trackers. Using these modes will stop cookies from tracking you to other sites, but won't protect you from having your location, device, browser and activity shared.
Newsweek
30-04-2025
- Health
- Newsweek
California Faces Probe After Sharing People's Health Data With LinkedIn
Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources. Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content. California's handling of sensitive health information is under scrutiny following a report that data entered by residents on the state's health insurance marketplace was shared with LinkedIn. Covered California, which runs the state's marketplace, shared sensitive personal data with LinkedIn, a subsidiary of Microsoft, through embedded tracking tools on the website, nonprofit news organization The Markup reported on Monday. Covered California confirmed the data transmission in a news release later that day, saying "some sensitive data was inadvertently collected by the tags, including first names, the last four digits of Social Security numbers, and other sensitive health information like pregnancy status." It added that all advertising-related tags on the website had been turned off as a "precautionary measure," and that it would review the extent of the data shared. Representative Kevin Kiley, the Democrat from California has called for an investigation. "This is incredibly disturbing," he wrote on X, formerly Twitter. Newsweek contacted Representative Kiley via social media and email, as well as the press offices of Health Secretary Robert F. Kennedy Jr. and California Governor Gavin Newsom via email outside of regular working hours on Wednesday. Why It Matters Concerns over personal data have grown in recent months after it emerged the government's Department of Government Efficiencyworked to gain access to the Social Security Administration's data systems, which hold sensitive personal data about approximately 70 million Americans. California's sharing of sensitive data with LinkedIn will likely raise similar concerns about threats to Americans' privacy. File photo: the LinkedIn homepage. File photo: the LinkedIn homepage. Chris Radburn/Press Association via AP What To Know Trackers on which was created under the Affordable Care Act, captured users' answers to questions about blindness, pregnancy, high prescription use, gender identity and experiences with domestic abuse, The Markup reported. The data was then transmitted to LinkedIn using Insight Tag, which uses code to track how visitors interact with websites. Covered California said in a statement that it "leverages LinkedIn's advertising platform tools to understand consumer behavior;" however, LinkedIn notes on its website that Insight Tag "should not be installed on web pages that collect or contain Sensitive Data." The LinkedIn campaign trackers began in February 2024 and were removed "due to a marketing agency transition" in early April, Covered California told CalMatters. Covered California had more than 60 trackers on its site, compared to the average on other government sites of three, CalMatters reported. What People Are Saying Covered California said in a news release on Monday: "Covered California is reviewing its entire website and information security and privacy protocols to ensure that no analytics tools are impermissibly collecting or sharing sensitive consumer information. The LinkedIn Insight tags are no longer active and, as a precautionary measure, all active advertising-related tags across the website have been turned off. "Covered California is committed to safeguarding the confidential information and privacy of its consumers. The organization will share additional findings from this investigation as they become available." California Representative Kevin Kiley, wrote on X: "California's Obamacare website tracked users' personal health information—such as pregnancy and prescription drug use—and sent it to LinkedIn for a 'marketing campaign.' We are asking Secretary Kennedy to investigate for HIPAA violations." What Happens Next The Department of Health and Human Services has yet to respond publicly to Kiley's call for an investigation.
Yahoo
29-04-2025
- Health
- Yahoo
How one state sent residents' personal health data to LinkedIn
The website that lets Californians shop for health insurance under the Affordable Care Act, has been sending sensitive data to LinkedIn, forensic testing by The Markup has revealed. As visitors filled out forms on the website, trackers on the same pages told LinkedIn their answers to questions about whether they were blind, pregnant, or used a high number of prescription medications. The trackers also monitored whether the visitors said they were transgender or possible victims of domestic abuse. Covered California, the organization that operates the website, removed the trackers as The Markup and CalMatters reported this article. The organization said they were removed "due to a marketing agency transition" in early April. In a statement, Kelly Donohue, a spokesperson for the agency, confirmed that data was sent to LinkedIn as part of an advertising campaign. Since being informed of the tracking, "all active advertising-related tags across our website have been turned off out of an abundance of caution," she added. "Covered California has initiated a review of our websites and information security and privacy protocols to ensure that no analytics tools are impermissibly sharing sensitive consumer information," Donohue said, adding that they would "share additional findings as they become available, taking any necessary steps to safeguard the security and privacy of consumer data." Visitors who filled out health information on the site may have had their data tracked for more than a year, according to Donohue, who said the LinkedIn campaign began in February 2024. The Markup observed the trackers directly in February and March of this year. It confirmed most ad trackers, including the Meta "pixel" tracker, as well as all third-party cookies, have been removed from the site as of April 21. Since 2014, more than 50 million Americans have signed up for health insurance through state exchanges like Covered California. They were set up under the Affordable Care Act, signed into law by President Barack Obama 15 years ago. States can either operate their exchange websites in partnership with the federal government or independently, as California does. Covered California operates as an independent entity within the state government. Its board is appointed by the governor and Legislature. In March, Covered California announced that, after four years of increasing enrollment, a record of nearly 2 million people were covered by health insurance through the program. In all, the organization said, about one in six Californians were at one point enrolled through Covered California. Between 2014 and 2023, the uninsured rate fell from 17.2% to 6.4%, according to the organization, the largest drop of any state during that time period. This coincided with a series of eligibility expansions to Medi-Cal, the state's health insurance program for lower-income households. Experts expressed alarm at the idea that those millions of people could have had sensitive health data sent to a private company without their knowledge or consent. Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, said it was "concerning and invasive" for a health insurance website to be sending data that was "wholly irrelevant" to the uses of a for-profit company like LinkedIn. "It's unfortunate," she said, "because people don't expect that their health information will be collected and used in this way." The Markup and CalMatters in recent months scanned for trackers on hundreds of California state and county government websites that offer services for undocumented immigrants using Blacklight, an automated tool developed by The Markup for auditing website trackers. The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined. On trackers from well-known social media firms like Meta collected information on visitor page views, while lesser-known analytics and media campaign companies like email marketing company LiveIntent also followed users across the site. But by far the most sensitive information was transmitted to LinkedIn. While some of the data sent to LinkedIn was relatively innocuous, such as what pages were visited, Covered California also sent the company detailed information when visitors selected doctors to see if they were covered by a plan, including their specialization. The site also told LinkedIn if someone searched for a specific hospital. In addition to demographic information including gender, the site also shared details with LinkedIn when visitors selected their ethnicity and marital status, and when they told how often they saw doctors for surgery or outpatient treatment. LinkedIn, like other large social media firms, offers a way for websites to easily transmit data on their visitors through a tracking tool that the sites can place on their pages. In LinkedIn's case, this tool is called the Insight Tag. By using the tag, businesses and other organizations can later target advertisements on LinkedIn to consumers that have already shown interest in their products or services. For an e-commerce site, a tracker on a page might be able to note when someone added a product to their cart, and the business can then send ads for that product to the same person on their social media feeds. A health care marketplace like Covered California might use the trackers to reach a group of people who might be interested in a reminder of a deadline for open health insurance enrollment, for example. In its statement, Covered California noted the usefulness of these tools, saying the organization "leverages LinkedIn's advertising platform tools to understand consumer behavior and deliver tailored messages to help them make informed decisions about their health care options." Trackers can also be valuable to the social media companies that offer them. In addition to driving ad sales, they provide an opportunity to gather information on visitors to websites other than their own. On its informational page about the Insight Tag, LinkedIn places the burden on websites that employ the tag not to use it in risky situations. The tag "should not be installed on web pages that collect or contain Sensitive Data," the page advises, including "pages offering specific health-related or financial services or products to consumers." LinkedIn spokesperson Brionna Ruff said in an emailed statement, "Our Ads Agreement and documentation expressly prohibit customers from installing the Insight Tag on web pages that collect or contain sensitive data, including pages offering health-related services. We don't allow advertisers to target ads based on sensitive data or categories." Collection of sensitive information by social media trackers has in previous instances led to removal of the trackers, lawsuits, and scrutiny by state and federal lawmakers. For example, after The Markup in 2022 revealed the Department of Education sent personal information to Facebook when students applied for college financial aid online, the department turned off the sharing, faced questions from two members of Congress, and was sued by two advocacy groups who sought more information about the sharing. Other stories in the same series about trackers, known as the Pixel Hunt, also led to changes and blowback, including a crackdown by the Federal Trade Commission on telehealth companies transmitting personal information to companies including Meta and Google without user consent and proposed class action lawsuits over information shared through trackers with drug stores, health providers, and tax prep companies. LinkedIn is already facing multiple proposed class-action lawsuits related to the collection of medical information. In October, three new lawsuits in California courts alleged that LinkedIn violated users' privacy by collecting information on medical appointment sites, including for a fertility clinic. Social media companies' tracking practices have underpinned the tremendous growth of the tech industry, but few web users are aware of how far the tracking goes. "This absolutely contradicts the expectation of the average consumer," Geoghegan said. In California, a law called the California Confidentiality of Medical Information Act governs the privacy of medical information in the state. Under the act, consumers must give permission to some organizations before their medical information is disclosed to third parties. Companies have faced litigation under the law for using web tracking technologies, although those suits have not always been successful. Geoghegan said current protections like these don't go far enough in helping consumers protect their sensitive data. "This is an exact example of why we need better protections," she said of LinkedIn receiving the data. "This is sensitive health information that consumers expect to be protected and a lack of regulations is failing us." This story was produced by The Markup and reviewed and distributed by Stacker.
Boston Globe
09-04-2025
- Boston Globe
Students are using AI to write scholarship essays. Does it work?
'They felt a little bit sterile,' said Geiger, the cofounder and CEO of a company called Scholarships360, an online platform used by more than 300,000 students last year to find and apply for scholarships. Related : Advertisement Curious, Scholarships360 staffers deployed AI-detection software called GPTZero. It checked almost 1,000 essays submitted for one scholarship and determined that about 42 percent of them had likely been composed with the help of generative AI. With college acceptances beginning to roll in for high school seniors, and juniors starting to brainstorm the essays they'll submit with their applications in the fall, Geiger is concerned. When students use AI to help write their essays, he said, they are wasting a valuable opportunity. 'The essay is one of the few opportunities in the admissions process for a student to communicate directly with a scholarship committee or with an admissions reader,' Geiger said. 'That provides a really powerful opportunity to share who you are as a person, and I don't think that an AI tool is able to do that.' Advertisement Madelyn Ronk, a 20-year-old student at Penn State Beaver, said she never considered using ChatGPT to write the personal statement required for her transfer application from community college last year. A self-described Goody Two-shoes, she didn't want to get in trouble. But there was another reason: She didn't want to turn in the same essay as anyone else. 'I want to be unique. I feel like when people use AI constantly, it just gives the same answer to every single person,' said Ronk, who wrote her essay about volunteering for charitable organizations in her hometown. 'I would like my answer to be me. So I don't use AI.' Geiger said students' fears about submitting a generic essay are valid — they're less likely to get scholarships that way. But that doesn't mean they have to avoid generative AI altogether. Some companies offer services to help students use AI to improve their work, rather than to cheat — such as getting help writing an outline, using proper grammar or making points effectively. Generative AI can proofread an essay, and can even tell a student whether their teacher is likely to flag it as AI-assisted. Related : Packback, for example, is an online platform whose AI software can chat with students and give feedback as they are writing. The bot might flag grammatical errors or the use of passive voice or whether students are digressing from their point. Craig Booth, the company's chief technology officer, said the software is designed to introduce students to ethical uses of AI. A Advertisement Not all scholarship providers or colleges have policies on exactly how AI can or cannot be used in prospective student essays. For example, Tools like GPTZero aren't reliable 100 percent of the time. The Markup, a news outlet focused on technology, reported on a study that found Because detection software isn't always accurate, Geiger said, Scholarships360 doesn't base scholarship decisions on whether essays were flagged as being generated by AI. But, he said, many of the students whose essays were flagged weren't awarded a given scholarship because 'if your writing is being mistaken for AI,' whether you used the technology or not, for a scholarship or admissions essay, 'it's probably going to be missing the mark.' Jonah O'Hara, who serves as chair of the admissions practices committee at the National Association of College Admissions Counselors, said that using AI isn't 'inherently evil,' but colleges and scholarship providers need to be transparent about their expectations and students need to disclose when they're using it and for what. Advertisement O'Hara, who is director of college counseling at Rocky Hill Country Day School in Rhode Island, said that he has always discouraged students from using a thesaurus in writing college application essays, or using any words that aren't normal for them. 'If you don't use 'hegemony' and 'parsimonious' in text messages with your friends, then why would you use it in an essay to college? That's not you,' O'Hara said. 'If you love the way polysyllabic words roll off your tongue, then, of course, if it's your voice, then use it.' Generative AI is, functionally, the latest evolution of the thesaurus, and O'Hara wonders whether it has 'put a shelf life on the college essay.' There was a time when some professors offered self-scheduled, unproctored take-home exams, O'Hara recalled. Students had to sign an honor statement promising that everything they submitted was their own work. But the onus was on the professors to write cheat-proof exams. O'Hara said if the college essay is going to survive, he thinks this is the direction administrators will have to go. 'If we get to a point where colleges cannot confidently determine [its] authenticity,' he said, 'then they may abandon it entirely.' This story about was produced by , a nonprofit, independent news organization focused on inequality and innovation in education. Sign up for the .
