California sent residents' personal health data to LinkedIn
97 comments
·May 15, 2025kordlessagain
quantified
Would we be surprised to learn of 10x this level of leakage to Facebook? Based on the social tracking I've casually observed via browser tools when signing up to a variety of services, I'd be surprised if it's not. The weird thing here is that it's LinkedIn getting the data, not that it's being sent.
jajko
Sociopaths being sociopaths, there is nothing more to it. One should never assume those who rose to massive power and wealth on their own are anything else but that. There are few exceptions, or rather well-meaning sociopaths, but they are really an exception.
The idea that they only got there by doing a bit of hard honest work is brutally naive. Its a sad fact of life, but fact it is. Looking at world with such optics, there are hardly any surprises (and no its not all doom and gloom, rather just factual reality with very few disappointments down the line).
lo_zamoyski
What we call "power" is not a property of a person, but a function of networks of relationships. A king is only "powerful" insofar as his authority is recognized. The moment his perceived authority is lost, the moment no one or few recognize it, is the moment he no longer has "power".
In other words, it only works if there is enough social support for it. It requires our complicity.
Most people with ASPD (what you call sociopathy) are not able to build these sorts of networks. They're impulsive. They are over-represented among the homeless. They are poor at planning or foreseeing the consequences of their actions. These are not exactly conducive to building these social networks. A sociopath is more the street thug or the gangbanger and less the CEO of a corporation.
FredPret
It's the idea that class warfare will get us anywhere good that's brutally naive at this point.
pseudocomposer
What do you define as “class warfare?” Do you agree that the current status-quo hyper-consolidation of wealth our economy has fostered since act least 1972 is already an ongoing type of class warfare?
And finally, why do you think class warfare can’t get us anywhere?
Loudergood
Class warfare is already happening from the top down.
timewizard
I love it when enforcing laws and fairness is perceived as "class warfare."
yapyap
I think class warfare will get the working class further than whatever is being done at the moment honestly.
ithrablip
[flagged]
shaky-carrousel
[flagged]
perihelions
I think publicly leveling accusations against other commenters downgrades the quality of the conversation—and it's against the forum rules too.
You can email the mods if it's something that can be moderated, but please keep it private! It makes things worse if this kind of accusation happens to be wrong. (Also makes things worse if it's right). Often it's singling out an actual, real person for unpleasant scrutiny they didn't expect or want.
"Remember the human."
shaky-carrousel
Which rule did I break, exactly? I just stated a fact.
jeron
>And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
I don't think AI would come up with this line
ToValueFunfetti
Funnily enough, that's the line that made me suspicious it was AI. I've seen that structure and that sort of metaphor many times from ChatGPT. And it's not like GPT shies away from criticizing Altman (https://chatgpt.com/share/682623aa-eac0-8000-9fa3-d039580a01...). The rest of the comment doesn't set off any alarm bells for me.
martinsnow
When elon can't get grok ai to lie about him consistently why should the others be able to?
vharuck
When I first read the headline, I thought it was a boneheaded mistake of forgetting to disable tracking on certain web pages. But no:
>The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined.
Why is Covered California such an outlier? Why do they need 60 trackers? It's an independent agency that only deals in health insurance, so they obviously (and horribly) thought it was a good idea to send data about residents' health insurance to a third party.
autoexec
I'm sure they did it for money. Those trackers weren't put there for nothing. At least government websites funneling citizen's data to Google by using Google Analytics on their sites can argue that they're just selling out taxpayers to get easy site metrics. When you've got 60 trackers on a single page though, somebody is stuffing their pockets with cash in exchange for user data.
threetonesun
I assume some of it was to show targeted ads on social media platforms. I'm sure an internal KPI is new customers, just like any e-commerce site.
neilv
For the last week, LinkedIn kept showing me ads for some specific dental procedure, near the top of my feed.
It's an optional follow-on procedure for the dental surgery procedure I had scheduled for this week.
I'm much more careful than most people about keeping Web search and browsing history private. But there's a chance that last week I browsed some question about the scheduled procedure, from my less-private Web browser, rather than from the Tor Browser that I usually use for anything sensitive that doesn't require identifying myself.
If I didn't make a Web OPSEC oops, it looks like maybe someone effectively gave private medical information to LinkedIn, of all places (an employment-matchmaking service, where employers are supposed to be conscientious of EEOC and similar concerns).
oaththrowaway
Why does a state have ad tracking data? Are they really that hard up for cash that they need to have ad campaigns for people selecting insurance?
timfsu
I understood it to be the reverse - they advertise on LinkedIn, and the trackers determine whether the users convert once they click through. Not great, but at least not as ill intentioned
kva-gad-fly
Not sure I understand this, but "I" (coveredca) pay linkedin to place my ads, for which "I" have to use their libraries? That then scrape "my" clients/customer data to linkedin? for them to make more money selling that data?
Does this also mean that those pious popups about "Do not sell my information" are essentially vacuous?
cryptonector
It could be insiders getting kickbacks.
1024core
[flagged]
daniel_reetz
Here's some context for people who are curious about CA DMV data sales:
https://www.thedrive.com/news/35457/why-is-the-california-dm...
1024core
How is this not a HIPAA violation??
SapporoChris
While I wish it was a HIPAA violation, I am not sure it qualifies. "The HIPAA standards apply to covered entities and business associates “where provided” by §160.102. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards" https://www.hipaajournal.com/what-is-a-hipaa-violation/#what...
Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
Drunk_Engineer
However, it may violate the state's Electronic Communication Privacy Act.
https://calmatters.org/health/2025/05/covered-california-lin...
jeron
the state will do an investigation on itself and find no wrongdoing
spacemadness
Sounds like HIPAA needs some adjustments made to cover marketplaces.
AStonesThrow
HIPAA is not designed to protect consumer or patient privacy. That is a silly fiction that voters and constituents believe in order to prop up the legislation.
HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers. HIPAA is designed to make it maximally difficult to move PHI from one provider to the next. HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers. HIPAA is a stepping-stone to single-payer insurance.
HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care. No entity under HIPAA can legally divulge the slightest tidbit to your brother, your parents, or anyone who contacts them, unless an ROI is on file. Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
wrs
Two reasons: The marketplace is not a covered entity (it doesn’t provide healthcare or process transactions), and the information is not a medical record (it’s typed in by the user, not generated by a healthcare provider).
However, California has its own more general privacy law about using medical information for marketing purposes.
kjkjadksj
So if I fill out my medical record form at the doctors office its not a medical record because me the user filled it out before handing it over the front desk?
wrs
Because you filled it out in the context of interacting with a medical provider, then gave it to them for their records, that is a medical record. (Just like a conversation with your doctor about your history would be.)
If you filled out the same form just to keep in your desk drawer for your family’s reference, it would not be. Also, if you ask for a copy of your record, as soon as you take personal possession of it, HIPAA no longer cares about it, because you aren’t a covered entity.
(Source: I founded a startup that spent a lot of money on attorneys to confirm this.)
autoexec
Filling out forms at the doctor's office is one way they trick you into authorizing them to sell your data and no matter how careful you are about it you can still end up having your data sold. https://www.statnews.com/2023/04/07/medical-data-privacy-phr...
runjake
Who says it's not? It looks like a HIPAA violation to me.
null
oops_all_buried
[dead]
blindriver
If you routinely clear your cookies, does that protect you from long term tracking?
wat10000
Fingerprinting is an active area of research (both attack and defense), so the answer is, maybe, depending on just how unique your setup is. EFF has a nice demo that will try to fingerprint you and tell you how trackable you are based on non-cookie data: https://coveryourtracks.eff.org
Of course, new techniques are invented all the time, so that may not cover everything.
blindriver
Unless they are targeting a specific individual for spying purposes, is there any benefit to doing such deep fingerprinting at the individual level, given that multiple people might use the same computer? It seems like knowing every single thing done at that computer may be too much information that might not have value but having more broad-based tracking patterns would be cheaper and more profitable, no?
wat10000
Advertisers say that the better they can target advertisements, the more valuable they are. If so, then every bit of fingerprinting helps. Maybe multiple people use a computer which degrades it for those particular people, but then many other computers are used by only one person, so it's helpful in aggregate. I'm skeptical this actually works, given the atrocious quality of ads that I see when they sneak past my ad blocker, but that's what they say.
goldchainposse
People like to say "big tech sells their data." This is actually rare. Almost every other company you deal with willing gives it to big tech, and they just hoard it and run ads with it.
knowitnone
California will investigate and find no wrong. Also, LinkedIn==Microsoft
ty6853
They published ("leaked" lol no -- it was all available through a polished portal) the name and address of all CCW and DROS registered firearm holders (including judges, DV victims, prosecutors, etc) and nothing happened.
They use your information for political warfare.
treebeard901
The reality is that anyone in the medical field can put any kind of information in your medical records for any reason. Many motivations exist to compel this kind of behavior. Sometimes this can be in a part of your permanent record that they do not have to provide to you, even if you follow the rules and laws to request the information. Many exceptions exist under the disclosure laws.
Your information then can be freely shared with others but not given to you or give you any way to correct the false information in your record.
For what it's worth, in the United States at least, you have several permanent records that follow you everywhere you go. Your medical records work in a similar way to your former employers. In fact, employer confidentiality to other employers allows them to say almost anything about you and neither has to share it with you and you have no chance to have any kind of fair process to correct it.
Now add all the data brokers and the other bribery kind of situations and the whole system is basically broken and corrupt.
nradov
That is misinformation. HIPAA covered healthcare providers are legally required to give you copies of your health information upon request, and can only charge a nominal fee for this service (in practice it's usually free). Any patient who is blocked from accessing their own medical records should file a formal complaint with HHS; they have fined multiple provider organizations for violations.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials...
https://www.hhs.gov/hipaa/for-professionals/compliance-enfor...
barbazoo
My understanding is that people would have to intentionally click on the ad on LI to get access to the cookie that contains the sensitive info from the insurance signup flow (which was triggered by clicking the ad). Is that correct?
dzdt
Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act. It only mentions as an aside that there are various related lawsuits.
Covered California's privacy policy explicitly says they follow HIPAA and that "Covered California will only share your personal information with government agencies, qualified health plans or contractors which help to fulfill a required Exchange function" and "your personal information is only used by or disclosed to those authorized to receive or view it" and "We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Policy".
Those privacy policy assertions have been in place since at least October 2020, per the Internet Archive wayback machine record. [2]
[1] https://www.coveredca.com/pdfs/privacy/CC_Privacy_Policy.pdf
[2] https://web.archive.org/web/20201024150356/https://www.cover...
autoexec
Companies outright lie in their privacy polices all the time. The legal risk in doing so is basically zero because nobody bothers to sue and it's impossible to show damages.
rob_c
Bright to you by the state reinventing gdpr for the American audience another 80IQ moment which will be lauded by some as a brave new world...
Get your act together and either resign or stop handling public data let alone the sensitive stuff. I'm serious, draft that letter now.
Covered California, the state’s health insurance marketplace, leaked deeply sensitive health information and pregnancy status, domestic abuse disclosures, and prescription drug use to LinkedIn via embedded ad trackers.
It’s a pattern we’ve seen across government and private sectors: infrastructure designed for care is being exploited for behavioral targeting through advertising motions. The public doesn’t expect their health decisions to be fed into social ad networks, but the platforms already assume ownership of that data trail.
And of course, it’s all connected. The same companies monetizing behavioral profiling at scale are now running the most powerful generative AI systems. Microsoft, which owns LinkedIn, is also the key infrastructure partner of OpenAI. Meta's ad tools were present on these health sites too. Google’s trackers are everywhere else.
When you strip away the techno-mystique, what’s driving the AI and data arms race isn’t wisdom. It’s ego, power consolidation, and a pathological fear of being second.
And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?