Covered California, the state’s health insurance marketplace, leaked deeply sensitive health information and pregnancy status, domestic abuse disclosures, and prescription drug use to LinkedIn via embedded ad trackers.
It’s a pattern we’ve seen across government and private sectors: infrastructure designed for care is being exploited for behavioral targeting through advertising motions. The public doesn’t expect their health decisions to be fed into social ad networks, but the platforms already assume ownership of that data trail.
And of course, it’s all connected. The same companies monetizing behavioral profiling at scale are now running the most powerful generative AI systems. Microsoft, which owns LinkedIn, is also the key infrastructure partner of OpenAI. Meta's ad tools were present on these health sites too. Google’s trackers are everywhere else.
When you strip away the techno-mystique, what’s driving the AI and data arms race isn’t wisdom. It’s ego, power consolidation, and a pathological fear of being second.
And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
For the last week, LinkedIn kept showing me ads for some specific dental procedure, near the top of my feed.
It's an optional follow-on procedure for the dental surgery procedure I had scheduled for this week.
I'm much more careful than most people about keeping Web search and browsing history private. But there's a chance that last week I browsed some question about the scheduled procedure, from my less-private Web browser, rather than from the Tor Browser that I usually use for anything sensitive that doesn't require identifying myself.
If I didn't make a Web OPSEC oops, it looks like maybe someone effectively gave private medical information to LinkedIn, of all places (an employment-matchmaking service, where employers are supposed to be conscientious of EEOC and similar concerns).
Why does a state have ad tracking data? Are they really that hard up for cash that they need to have ad campaigns for people selecting insurance?
How is this not a HIPAA violation??
I was diagnosed 4 years ago at age 60. Symptoms were tremor in the right leg, loss of handwriting ability (my normally beautiful cursive writing was now small, cramped printing and a soft voice. I also had difficulty rising from a seated position and have balance issues. I started out taking only Azilect, then Mirapex, and then Sinemet. Several months ago I started falling frequently, hence the reason for Sinemet. During the summer of 2021, I was introduced to Uinehealth Centre and their effective PD-5 protocol. The treatment significantly alleviated my symptoms, outperforming the prescribed medications. My husband says it has done me a lot of good in terms of balance and ability to walk and get up from chairs. I can now write without my hands shaking; I can feel my strength again. I was fortunate to have the loving support of my husband and family. I make it a point to appreciate every day! Visit uinehealthcentre. net
California will investigate and find no wrong. Also, LinkedIn==Microsoft
If you routinely clear your cookies, does that protect you from long term tracking?
Is Covered California a government entity, for profit, non profit, other...? Not that it matters.
"Leak" is not the right term. By default a "website" is a 404. Throw some HTML on there and users can see something. Adding LinkedIn tracking is a deliberate choice. Calling the data "leaked" is like saying a raft sprung a "leak" when the person in the raft punctured it 60 times (number of trackers). The data was shared and pushed to LI, on purpose. They (Covered CA) installed LinkedIn's code on their site. The code did exactly what it was intended to do, send data to LinkedIn.
A leak is accidental, this was a choice by Covered CA.
The reality is that anyone in the medical field can put any kind of information in your medical records for any reason. Many motivations exist to compel this kind of behavior. Sometimes this can be in a part of your permanent record that they do not have to provide to you, even if you follow the rules and laws to request the information. Many exceptions exist under the disclosure laws.
Your information then can be freely shared with others but not given to you or give you any way to correct the false information in your record.
For what it's worth, in the United States at least, you have several permanent records that follow you everywhere you go. Your medical records work in a similar way to your former employers. In fact, employer confidentiality to other employers allows them to say almost anything about you and neither has to share it with you and you have no chance to have any kind of fair process to correct it.
Now add all the data brokers and the other bribery kind of situations and the whole system is basically broken and corrupt.
My understanding is that people would have to intentionally click on the ad on LI to get access to the cookie that contains the sensitive info from the insurance signup flow (which was triggered by clicking the ad). Is that correct?
Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act. It only mentions as an aside that there are various related lawsuits.
Covered California's privacy policy explicitly says they follow HIPAA and that "Covered California will only share your personal information with government agencies, qualified health plans or contractors which help to fulfill a required Exchange function" and "your personal information is only used by or disclosed to those authorized to receive or view it" and "We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Policy".
Those privacy policy assertions have been in place since at least October 2020, per the Internet Archive wayback machine record. [2]
[1] https://www.coveredca.com/pdfs/privacy/CC_Privacy_Policy.pdf
[2] https://web.archive.org/web/20201024150356/https://www.cover...
People like to say "big tech sells their data." This is actually rare. Almost every other company you deal with willing gives it to big tech, and they just hoard it and run ads with it.
That's nothing. The Federal governemnt sent residents' personal health data to xAI.
Bright to you by the state reinventing gdpr for the American audience another 80IQ moment which will be lauded by some as a brave new world...
Get your act together and either resign or stop handling public data let alone the sensitive stuff. I'm serious, draft that letter now.
[dead]
[flagged]
Even with the absolute incompetence shown in this article (Meta or Google would never make a mistake like this), no one has been actually harmed.
When I first read the headline, I thought it was a boneheaded mistake of forgetting to disable tracking on certain web pages. But no:
>The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined.
Why is Covered California such an outlier? Why do they need 60 trackers? It's an independent agency that only deals in health insurance, so they obviously (and horribly) thought it was a good idea to send data about residents' health insurance to a third party.