California’s health insurance marketplace, Covered California, transmitted highly sensitive personal health data from its users to LinkedIn, an investigation by The Markup revealed. This data included details about pregnancy, blindness, domestic abuse victim status, and transgender status, shared via tracking technology on coveredca.com. The practice, linked to a LinkedIn advertising campaign active since February 2024, has ignited significant privacy concerns and triggered legal and political repercussions.
Following the investigation, Covered California removed the trackers, initially citing a “marketing agency transition,” but later acknowledging that “all active advertising-related tags across our website have been turned off out of an abundance of caution”. The agency confirmed that while their review is ongoing, they have identified that “some sensitive data was inadvertently collected by the tags, including first names, the last four digits of Social Security numbers, and other sensitive health information like pregnancy status,” as stated in a press release.
Covered California is now also engaging an independent third-party digital forensics firm to support their ongoing review of the matter, according to Newsweek. The incident underscores a critical breach of trust for users of the state-affiliated service.
The data transfer to LinkedIn also encompassed prescription use, ethnicity, marital status, and specific healthcare provider searches. This occurred through LinkedIn’s “Insight Tag,” a tool for targeted advertising. Covered California explained it “leverages LinkedIn’s advertising platform tools to understand consumer behavior and deliver tailored messages to help them make informed decisions about their health care options.” However, LinkedIn’s own policy, as per its informational page, advises against installing the tag on pages with sensitive data, including “pages offering specific health-related or financial services or products to consumers.”
LinkedIn spokesperson Brionna Ruff maintained that their agreements “expressly prohibit customers from installing the Insight Tag on web pages that collect or contain sensitive data, including pages offering health-related services. We don’t allow advertisers to target ads based on sensitive data or categories.”.
Legal and Political Fallout Ensues
The revelations quickly led to legal action. A class-action lawsuit was filed against LinkedIn and Google in federal court on April 29. It alleges that “LinkedIn and Google intentionally intercepted sensitive and confidential communications between Covered California and its customers. LinkedIn and Google failed to receive consent for these interceptions.”, violating the California Invasion of Privacy Act and the federal Electronic Communications Privacy Act.
Political pressure also mounted. Representative Kevin Kiley (R-CA) described the data sharing as “incredibly disturbing” and called for the Department of Health and Human Services (HHS) to investigate potential violations of privacy laws like HIPAA, Newsweek detailed. This call for a federal probe highlights the seriousness with which the alleged data misuse is being viewed.
A Pattern of Pervasive Tracking
The Covered California situation is another example of the widespread use of online data tracking. The Markup’s “Pixel Hunt” series, which includes this investigation, has previously uncovered similar issues, such as the U.S. Department of Education’s sharing of student aid applicants’ data with Facebook. Such incidents often lead to significant blowback, including congressional questions and legal challenges. The Federal Trade Commission has also cracked down on telehealth services for unauthorized data sharing.
Privacy advocates have strongly condemned the Covered California data sharing. Sara Geoghegan of the Electronic Privacy Information Center called the practice “concerning and invasive” and “wholly irrelevant”, adding that “It’s unfortunate because people don’t expect that their health information will be collected and used in this way.”
The incident reveals a troubling gap between user privacy expectations for health data and actual online data handling practices. The sheer number of trackers on coveredca.com—over 60, compared to an average of three on other state sites, according to The Markup’s Blacklight tool—further illustrates the extent of data collection.
Broader Implications for Health Data Security
This case happens against a backdrop of increasing digitization in the healthcare sector and growing concerns about how large tech companies handle medical data. Historically, projects like Google’s “Project Nightingale”, which involved collecting health data from Ascension and was investigated by federal authorities in 2019, have raised similar privacy alarms.
The legal landscape, including California’s Confidentiality of Medical Information Act, is being tested by such technological capabilities. Geoghegan argued, “This is an exact example of why we need better protections. This is sensitive health information that consumers expect to be protected and a lack of regulations is failing us,” pointing to the need for stronger consumer protections.
Meanwhile, the tech industry continues to push into healthcare, with AI models being trained on vast datasets, like the UK NHS’s “Foresight” program, which itself has faced scrutiny over de-identification and consent. Even without intentional sharing for advertising, vulnerabilities in health tech, such as those found in Microsoft’s Azure AI Health Bot, can put patient data at risk.
