Covered California, the state’s health insurance marketplace, leaked deeply sensitive health information and pregnancy status, domestic abuse disclosures, and prescription drug use to LinkedIn via embedded ad trackers.
It’s a pattern we’ve seen across government and private sectors: infrastructure designed for care is being exploited for behavioral targeting through advertising motions. The public doesn’t expect their health decisions to be fed into social ad networks, but the platforms already assume ownership of that data trail.
And of course, it’s all connected. The same companies monetizing behavioral profiling at scale are now running the most powerful generative AI systems. Microsoft, which owns LinkedIn, is also the key infrastructure partner of OpenAI. Meta's ad tools were present on these health sites too. Google’s trackers are everywhere else.
When you strip away the techno-mystique, what’s driving the AI and data arms race isn’t wisdom. It’s ego, power consolidation, and a pathological fear of being second.
And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
Would we be surprised to learn of 10x this level of leakage to Facebook? Based on the social tracking I've casually observed via browser tools when signing up to a variety of services, I'd be surprised if it's not. The weird thing here is that it's LinkedIn getting the data, not that it's being sent.
Sociopaths being sociopaths, there is nothing more to it. One should never assume those who rose to massive power and wealth on their own are anything else but that. There are few exceptions, or rather well-meaning sociopaths, but they are really an exception.
The idea that they only got there by doing a bit of hard honest work is brutally naive. Its a sad fact of life, but fact it is. Looking at world with such optics, there are hardly any surprises (and no its not all doom and gloom, rather just factual reality with very few disappointments down the line).
What we call "power" is not a property of a person, but a function of networks of relationships. A king is only "powerful" insofar as his authority is recognized. The moment his perceived authority is lost, the moment no one or few recognize it, is the moment he no longer has "power".
In other words, it only works if there is enough social support for it. It requires our complicity.
Most people with ASPD (what you call sociopathy) are not able to build these sorts of networks. They're impulsive. They are over-represented among the homeless. They are poor at planning or foreseeing the consequences of their actions. These are not exactly conducive to building these social networks. A sociopath is more the street thug or the gangbanger and less the CEO of a corporation.
I think publicly leveling accusations against other commenters downgrades the quality of the conversation—and it's against the forum rules too.
You can email the mods if it's something that can be moderated, but please keep it private! It makes things worse if this kind of accusation happens to be wrong. (Also makes things worse if it's right). Often it's singling out an actual, real person for unpleasant scrutiny they didn't expect or want.
>And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
When I first read the headline, I thought it was a boneheaded mistake of forgetting to disable tracking on certain web pages. But no:
>The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined.
Why is Covered California such an outlier? Why do they need 60 trackers? It's an independent agency that only deals in health insurance, so they obviously (and horribly) thought it was a good idea to send data about residents' health insurance to a third party.
I'm sure they did it for money. Those trackers weren't put there for nothing. At least government websites funneling citizen's data to Google by using Google Analytics on their sites can argue that they're just selling out taxpayers to get easy site metrics. When you've got 60 trackers on a single page though, somebody is stuffing their pockets with cash in exchange for user data.
For the last week, LinkedIn kept showing me ads for some specific dental procedure, near the top of my feed.
It's an optional follow-on procedure for the dental surgery procedure I had scheduled for this week.
I'm much more careful than most people about keeping Web search and browsing history private. But there's a chance that last week I browsed some question about the scheduled procedure, from my less-private Web browser, rather than from the Tor Browser that I usually use for anything sensitive that doesn't require identifying myself.
If I didn't make a Web OPSEC oops, it looks like maybe someone effectively gave private medical information to LinkedIn, of all places (an employment-matchmaking service, where employers are supposed to be conscientious of EEOC and similar concerns).
I understood it to be the reverse - they advertise on LinkedIn, and the trackers determine whether the users convert once they click through. Not great, but at least not as ill intentioned
Not sure I understand this, but "I" (coveredca) pay linkedin to place my ads, for which "I" have to use their libraries? That then scrape "my" clients/customer data to linkedin? for them to make more money selling that data?
Does this also mean that those pious popups about "Do not sell my information" are essentially vacuous?
While I wish it was a HIPAA violation, I am not sure it qualifies.
"The HIPAA standards apply to covered entities and business associates “where provided” by §160.102. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards"
https://www.hipaajournal.com/what-is-a-hipaa-violation/#what...
Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
Two reasons: The marketplace is not a covered entity (it doesn’t provide healthcare or process transactions), and the information is not a medical record (it’s typed in by the user, not generated by a healthcare provider).
However, California has its own more general privacy law about using medical information for marketing purposes.
So if I fill out my medical record form at the doctors office its not a medical record because me the user filled it out before handing it over the front desk?
Not if you use Chrome 135 or later, which is every browser now except Firefox/LibreWolf.
Federated Learning of Cohorts (FLOC) proved that cookies aren't actually necessary to track you with 98%+ precision, which, given how the internet works, is just 2 clicks.
The only way to stay anonymous is to stay on the radar. Sandbox your browser, have multiple physical-on-the-filesystem profiles and never mix business with pleasure or banking with youtube.
If you use Linux, create a Windows 11 VM to browse anonymously. Because Linux makes you already stick out as a sore thumb due to its TCP fingerprint.
Fingerprinting is an active area of research (both attack and defense), so the answer is, maybe, depending on just how unique your setup is. EFF has a nice demo that will try to fingerprint you and tell you how trackable you are based on non-cookie data: https://coveryourtracks.eff.org
Of course, new techniques are invented all the time, so that may not cover everything.
Unless they are targeting a specific individual for spying purposes, is there any benefit to doing such deep fingerprinting at the individual level, given that multiple people might use the same computer? It seems like knowing every single thing done at that computer may be too much information that might not have value but having more broad-based tracking patterns would be cheaper and more profitable, no?
They published ("leaked" lol no -- it was all available through a polished portal) the name and address of all CCW and DROS registered firearm holders (including judges, DV victims, prosecutors, etc) and nothing happened.
People like to say "big tech sells their data." This is actually rare. Almost every other company you deal with willing gives it to big tech, and they just hoard it and run ads with it.
The reality is that anyone in the medical field can put any kind of information in your medical records for any reason. Many motivations exist to compel this kind of behavior. Sometimes this can be in a part of your permanent record that they do not have to provide to you, even if you follow the rules and laws to request the information. Many exceptions exist under the disclosure laws.
Your information then can be freely shared with others but not given to you or give you any way to correct the false information in your record.
For what it's worth, in the United States at least, you have several permanent records that follow you everywhere you go. Your medical records work in a similar way to your former employers. In fact, employer confidentiality to other employers allows them to say almost anything about you and neither has to share it with you and you have no chance to have any kind of fair process to correct it.
Now add all the data brokers and the other bribery kind of situations and the whole system is basically broken and corrupt.
That is misinformation. HIPAA covered healthcare providers are legally required to give you copies of your health information upon request, and can only charge a nominal fee for this service (in practice it's usually free). Any patient who is blocked from accessing their own medical records should file a formal complaint with HHS; they have fined multiple provider organizations for violations.
My understanding is that people would have to intentionally click on the ad on LI to get access to the cookie that contains the sensitive info from the insurance signup flow (which was triggered by clicking the ad). Is that correct?
Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act. It only mentions as an aside that there are various related lawsuits.
Covered California's privacy policy explicitly says they follow HIPAA and that "Covered California will only share your personal information with government agencies, qualified health plans or contractors which help to fulfill a required Exchange function" and "your personal information is only used by or disclosed to those authorized to receive or view it" and "We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Policy".
Those privacy policy assertions have been in place since at least October 2020, per the Internet Archive wayback machine record. [2]
Companies outright lie in their privacy polices all the time. The legal risk in doing so is basically zero because nobody bothers to sue and it's impossible to show damages.
> Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act.
Being really clear, I despise this whole situation. But there's a lot of contortion to get to a government healthcare marketplace being consider a healthcare provider, which has a definition in the law.
If you have a value sliding scale of "actually harmed", then almost no privacy breach harms anyone, right? Is the threshold for harm actually being scammed, physically hurt, reputation damaged?
Thankfully, those the law is not based on such thresholds.
Covered California, the state’s health insurance marketplace, leaked deeply sensitive health information and pregnancy status, domestic abuse disclosures, and prescription drug use to LinkedIn via embedded ad trackers.
It’s a pattern we’ve seen across government and private sectors: infrastructure designed for care is being exploited for behavioral targeting through advertising motions. The public doesn’t expect their health decisions to be fed into social ad networks, but the platforms already assume ownership of that data trail.
And of course, it’s all connected. The same companies monetizing behavioral profiling at scale are now running the most powerful generative AI systems. Microsoft, which owns LinkedIn, is also the key infrastructure partner of OpenAI. Meta's ad tools were present on these health sites too. Google’s trackers are everywhere else.
When you strip away the techno-mystique, what’s driving the AI and data arms race isn’t wisdom. It’s ego, power consolidation, and a pathological fear of being second.
And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
Would we be surprised to learn of 10x this level of leakage to Facebook? Based on the social tracking I've casually observed via browser tools when signing up to a variety of services, I'd be surprised if it's not. The weird thing here is that it's LinkedIn getting the data, not that it's being sent.
Sociopaths being sociopaths, there is nothing more to it. One should never assume those who rose to massive power and wealth on their own are anything else but that. There are few exceptions, or rather well-meaning sociopaths, but they are really an exception.
The idea that they only got there by doing a bit of hard honest work is brutally naive. Its a sad fact of life, but fact it is. Looking at world with such optics, there are hardly any surprises (and no its not all doom and gloom, rather just factual reality with very few disappointments down the line).
What we call "power" is not a property of a person, but a function of networks of relationships. A king is only "powerful" insofar as his authority is recognized. The moment his perceived authority is lost, the moment no one or few recognize it, is the moment he no longer has "power".
In other words, it only works if there is enough social support for it. It requires our complicity.
Most people with ASPD (what you call sociopathy) are not able to build these sorts of networks. They're impulsive. They are over-represented among the homeless. They are poor at planning or foreseeing the consequences of their actions. These are not exactly conducive to building these social networks. A sociopath is more the street thug or the gangbanger and less the CEO of a corporation.
It's the idea that class warfare will get us anywhere good that's brutally naive at this point.
46 replies →
[dead]
[flagged]
I think publicly leveling accusations against other commenters downgrades the quality of the conversation—and it's against the forum rules too.
You can email the mods if it's something that can be moderated, but please keep it private! It makes things worse if this kind of accusation happens to be wrong. (Also makes things worse if it's right). Often it's singling out an actual, real person for unpleasant scrutiny they didn't expect or want.
"Remember the human."
3 replies →
>And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
I don't think AI would come up with this line
3 replies →
When I first read the headline, I thought it was a boneheaded mistake of forgetting to disable tracking on certain web pages. But no:
>The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined.
Why is Covered California such an outlier? Why do they need 60 trackers? It's an independent agency that only deals in health insurance, so they obviously (and horribly) thought it was a good idea to send data about residents' health insurance to a third party.
I'm sure they did it for money. Those trackers weren't put there for nothing. At least government websites funneling citizen's data to Google by using Google Analytics on their sites can argue that they're just selling out taxpayers to get easy site metrics. When you've got 60 trackers on a single page though, somebody is stuffing their pockets with cash in exchange for user data.
I assume some of it was to show targeted ads on social media platforms. I'm sure an internal KPI is new customers, just like any e-commerce site.
Quick reminder that state of California takes a DNA sample from every newborn and sells it to third parties
For the last week, LinkedIn kept showing me ads for some specific dental procedure, near the top of my feed.
It's an optional follow-on procedure for the dental surgery procedure I had scheduled for this week.
I'm much more careful than most people about keeping Web search and browsing history private. But there's a chance that last week I browsed some question about the scheduled procedure, from my less-private Web browser, rather than from the Tor Browser that I usually use for anything sensitive that doesn't require identifying myself.
If I didn't make a Web OPSEC oops, it looks like maybe someone effectively gave private medical information to LinkedIn, of all places (an employment-matchmaking service, where employers are supposed to be conscientious of EEOC and similar concerns).
Why does a state have ad tracking data? Are they really that hard up for cash that they need to have ad campaigns for people selecting insurance?
I understood it to be the reverse - they advertise on LinkedIn, and the trackers determine whether the users convert once they click through. Not great, but at least not as ill intentioned
Not sure I understand this, but "I" (coveredca) pay linkedin to place my ads, for which "I" have to use their libraries? That then scrape "my" clients/customer data to linkedin? for them to make more money selling that data?
Does this also mean that those pious popups about "Do not sell my information" are essentially vacuous?
It could be insiders getting kickbacks.
[flagged]
Here's some context for people who are curious about CA DMV data sales:
https://www.thedrive.com/news/35457/why-is-the-california-dm...
How is this not a HIPAA violation??
While I wish it was a HIPAA violation, I am not sure it qualifies. "The HIPAA standards apply to covered entities and business associates “where provided” by §160.102. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards" https://www.hipaajournal.com/what-is-a-hipaa-violation/#what...
Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
However, it may violate the state's Electronic Communication Privacy Act.
https://calmatters.org/health/2025/05/covered-california-lin...
1 reply →
Sounds like HIPAA needs some adjustments made to cover marketplaces.
5 replies →
Two reasons: The marketplace is not a covered entity (it doesn’t provide healthcare or process transactions), and the information is not a medical record (it’s typed in by the user, not generated by a healthcare provider).
However, California has its own more general privacy law about using medical information for marketing purposes.
So if I fill out my medical record form at the doctors office its not a medical record because me the user filled it out before handing it over the front desk?
2 replies →
Who says it's not? It looks like a HIPAA violation to me.
[dead]
If you routinely clear your cookies, does that protect you from long term tracking?
Not if you use Chrome 135 or later, which is every browser now except Firefox/LibreWolf.
Federated Learning of Cohorts (FLOC) proved that cookies aren't actually necessary to track you with 98%+ precision, which, given how the internet works, is just 2 clicks.
The only way to stay anonymous is to stay on the radar. Sandbox your browser, have multiple physical-on-the-filesystem profiles and never mix business with pleasure or banking with youtube.
If you use Linux, create a Windows 11 VM to browse anonymously. Because Linux makes you already stick out as a sore thumb due to its TCP fingerprint.
Fingerprinting is an active area of research (both attack and defense), so the answer is, maybe, depending on just how unique your setup is. EFF has a nice demo that will try to fingerprint you and tell you how trackable you are based on non-cookie data: https://coveryourtracks.eff.org
Of course, new techniques are invented all the time, so that may not cover everything.
Unless they are targeting a specific individual for spying purposes, is there any benefit to doing such deep fingerprinting at the individual level, given that multiple people might use the same computer? It seems like knowing every single thing done at that computer may be too much information that might not have value but having more broad-based tracking patterns would be cheaper and more profitable, no?
1 reply →
California will investigate and find no wrong. Also, LinkedIn==Microsoft
They published ("leaked" lol no -- it was all available through a polished portal) the name and address of all CCW and DROS registered firearm holders (including judges, DV victims, prosecutors, etc) and nothing happened.
They use your information for political warfare.
People like to say "big tech sells their data." This is actually rare. Almost every other company you deal with willing gives it to big tech, and they just hoard it and run ads with it.
The reality is that anyone in the medical field can put any kind of information in your medical records for any reason. Many motivations exist to compel this kind of behavior. Sometimes this can be in a part of your permanent record that they do not have to provide to you, even if you follow the rules and laws to request the information. Many exceptions exist under the disclosure laws.
Your information then can be freely shared with others but not given to you or give you any way to correct the false information in your record.
For what it's worth, in the United States at least, you have several permanent records that follow you everywhere you go. Your medical records work in a similar way to your former employers. In fact, employer confidentiality to other employers allows them to say almost anything about you and neither has to share it with you and you have no chance to have any kind of fair process to correct it.
Now add all the data brokers and the other bribery kind of situations and the whole system is basically broken and corrupt.
That is misinformation. HIPAA covered healthcare providers are legally required to give you copies of your health information upon request, and can only charge a nominal fee for this service (in practice it's usually free). Any patient who is blocked from accessing their own medical records should file a formal complaint with HHS; they have fined multiple provider organizations for violations.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials...
https://www.hhs.gov/hipaa/for-professionals/compliance-enfor...
My understanding is that people would have to intentionally click on the ad on LI to get access to the cookie that contains the sensitive info from the insurance signup flow (which was triggered by clicking the ad). Is that correct?
Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act. It only mentions as an aside that there are various related lawsuits.
Covered California's privacy policy explicitly says they follow HIPAA and that "Covered California will only share your personal information with government agencies, qualified health plans or contractors which help to fulfill a required Exchange function" and "your personal information is only used by or disclosed to those authorized to receive or view it" and "We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Policy".
Those privacy policy assertions have been in place since at least October 2020, per the Internet Archive wayback machine record. [2]
[1] https://www.coveredca.com/pdfs/privacy/CC_Privacy_Policy.pdf
[2] https://web.archive.org/web/20201024150356/https://www.cover...
Companies outright lie in their privacy polices all the time. The legal risk in doing so is basically zero because nobody bothers to sue and it's impossible to show damages.
> Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act.
Being really clear, I despise this whole situation. But there's a lot of contortion to get to a government healthcare marketplace being consider a healthcare provider, which has a definition in the law.
That's nothing. The Federal governemnt sent residents' personal health data to xAI.
Source?
Bright to you by the state reinventing gdpr for the American audience another 80IQ moment which will be lauded by some as a brave new world...
Get your act together and either resign or stop handling public data let alone the sensitive stuff. I'm serious, draft that letter now.
[dead]
[flagged]
Even with the absolute incompetence shown in this article (Meta or Google would never make a mistake like this), no one has been actually harmed.
If you have a value sliding scale of "actually harmed", then almost no privacy breach harms anyone, right? Is the threshold for harm actually being scammed, physically hurt, reputation damaged?
Thankfully, those the law is not based on such thresholds.
Relative to the actual harms caused, HN freaks about this kind of stuff too much.