Covered California has responded to reports that their website sent consumer personal information to social media site LinkedIn. Covered California released a weak statement with few details minimizing the leak of personal information consumers felt was tightly secured.
“While the review is still ongoing, Covered California has identified that some sensitive data was inadvertently collected by the tags, including first names, the last four digits of Social Security Numbers, and other sensitive health information like pregnancy status. To our knowledge, access to this data was limited to Covered California credentialed users for the limited purpose of managing Covered California’s account.” – Covered California statement, April 28, 2025.
Investigation Reveals Covered California Social Media Data Leak
CalMatters reported that Covered California may have been sending data to LinkedIn for over a year.
“Visitors who filled out health information on the site may have had their data tracked for more than a year, according to Donohue [Covered California spokesperson], who said the LinkedIn campaign began in February 2024.”
It was also reported that the Covered California website had more than 60 tags or trackers on its website. From an analysis done by CalMatters and The Markup, it was concluded that the most detailed information regarding released pertained to marital status, pregnancy, ethnicity, last four digits of the social security number, and first name along with estimates of health care services and provider search.
In short, enough personal information to reasonably identify a person, especially if they had a LinkedIn account. However, the problem is that we don’t know who has access to this information or how many consumers had their information exposed. It all adds up to a breach of trust.
Covered California Assurances of Privacy and Security
Individuals and families applying for health insurance through Covered California are greeted with a pop-up question requesting verification of their information by Covered California. The verification question states, “We only use your information for health care purposes.” This leads consumers to assume that their information is kept confidential and not shared with third party organizations.
At the end of application, the consumer must read a terms and conditions page that states, “I understand that all information disclosed on this application will be kept private, as required by law.” This is another statement that leaves the impression that the consumer’s information is not being shared with other organizations that are not expressly tied to Covered California.
Cookies and Tags Used on All Websites for Marketing, User Experience
You may have seen the pop-up window on some websites that ask for your permission to track your activity on the website with the use of cookies. Tags are embedded in some websites to acquire information on how visitors use the website. Cookies and tags can be important for the organization to optimize the user experience. It is no surprise that Covered California would use tags or cookies on their website for marketing.
The problem is gathering visitor information, even if it is anonymized, that is shared with third parties. The European Union implemented strict rules for websites to gain visitor permission to gather certain information. There can be fines for gathering visitor information without their permission.
On my website, insuremekevin.com, there are Google tags. The tags fire when someone visits the site and gathers information such as the referrer, pages viewed, duration of visit, and if the viewer is new or a returning visitor. The data is all based on the IP address of the user. I can see all the data, down to the geographic region of the visitors, but no personally identifying information is captured.
For large websites and applications like Covered California, cookies and tags can be invaluable for adjusting the website. The reports can indicate if there are problems with how the users interact with the website and give insights into marketing strategies.
Covered California, like any large corporation, spends quite a bit of time marketing their services. They need to maximize their advertising dollars to make sure they are reaching consumers who can benefit from subsidized health insurance. The tags help with defining where they should spend their ad budget. I don’t fault Covered California for employing tags that provide solid information regarding who their visitors are – and by extension – consumers they may not be reaching.
The question becomes who was overseeing and managing the tags, trackers, cookies and the specific code embedded in the Covered California application?
The management of websites, especially as large and complicated as Covered California, requires professionals that understand all the code, trackers, cookies, and tags. It is surprising that the Covered California IT team missed the tag that was gathering personal information and sending it to LinkedIn.
When there is data breach of personal information, companies and organizations are required to send a notice to the affected individuals. I’ve received at least six notices over the last couple of years from the health plans about a data breach they had. Usually, they offer me a year of no-cost credit report monitoring.
The data sent to LinkedIn was not traditional data breach where the database was hacked or nefarious people gained access to the sensitive data. Covered California voluntarily handed the information to LinkedIn. I assume there will be no penalties levied on Covered California for the leak to LinkedIn.
Agent Training on Privacy and Security
Every year Covered California agents must go through training that requires the review of privacy and security standards. Failure to properly secure or destroy personally identifying information of consumers, and that information is disclosed in an unauthorized manner, can lead to contract termination. In other words, if I had a website that transmitted personally identifying information to a third party without the consent of the consumer, I would most likely be terminated as a Certified Insurance Agent for Covered California.
As a Certified Insurance Agent, I enrolled individuals and families into Covered California health plans during the period that the offending trackers were enabled. Does that make me inadvertently complicit with the leaking of confidential information to users unknown?
Covered California should be completely transparent on this breach of privacy. How many consumers were affected? What was the time frame of data transmission? Which websites or applications leaked the data? Will the affected consumers be contacted like in a traditional data breach? What steps are Covered California taking to ensure these trackers, cookies, tags never gather personally identifying information again?
The only way to repair the breach of trust between Covered California and the public is to do a complete investigation and release the results.
YouTube video regarding the data leak.
