If you are one of the millions of Americans who have signed up for the Affordable Care Act at Healthcare.gov - bits and pieces of your private health data are being shared with dozens of third party tracking sites. These sites now have the ability to create a unique profile of your habits based on that info and bombard you with interest based ads.

According to Electronic Frontier Foundation (EFF) researchers, they have independently confirmed that healthcare.gov is sending personal health information to at least 14 third party domains, even if the user has enabled Do Not Track. The information is sent via the referrer header, which contains the URL of the page requesting a third party resource. The referrer header is an essential part of the HTTP protocol, and is sent for every request that is made on the web. The referrer header lets the requested resource know what URL the request came from. This would for example let a website know who else was linking to their pages. In this case however the referrer URL contains personal health information.

The following is a table showing which third party domains EFF researchers confirmed were receiving the private health data.



Third-party resources could also introduce additional security risks to the healthcare.gov website, with each included third-party resource increasing the attack surface of the site. If an attacker were able to compromise just one of the third party resources included on healthcare.gov they could potentially compromise the accounts of every user of healthcare.gov. The attacker could then sell the Private Health Information or hold it for ransom.