The Markup, now a part of CalMatters, uses investigative reporting, data analysis, and software engineering to challenge technology to serve the public good. Sign up for Klaxon, a newsletter that delivers our stories and tools directly to your inbox.

Citing an investigation by The Markup and CalMatters, lawmakers in the House of Representatives are questioning why California’s state health insurance exchange shared sensitive health data with LinkedIn.

In a letter sent last week to Jessica Altman, executive director of the state’s exchange, the lawmakers write they are “deeply concerned about the privacy and security implications” raised by a Markup and CalMatters story published in April.

The story showed through forensic testing how the exchange, Covered California, used trackers that told LinkedIn when visitors entered health information like whether they were blind, pregnant, or used a high number of prescription medications into the website coveredca.com. 

The trackers, which operated for more than a year as part of a marketing campaign before being removed, also logged information like whether visitors were transgender or possible victims of domestic violence.

Kentucky Congressman Brett Guthrite, who chairs the House Committee on Energy and Commerce, sent the letter alongside four other Republican lawmakers. “The Committee seeks to understand how such sensitive data could have been transmitted through advertising trackers, what oversight existed to detect or prevent it, and whether Covered California took appropriate steps to protect consumer information,” the lawmakers wrote.

The other signatories are Rep. Earl L. “Buddy” Carter of Georgia, who chairs Energy and Commerce’s health subcommittee; Rep. Gary Palmer of Alabama, who chairs the oversight and investigations subcommittee; Rep. Gus M. Bilirakis of Florida and California Rep. Jay Obernolte. 

The letter said “the extended period of data exposure raises serious questions about the adequacy of safeguards that Covered California had in place.” Those “circumstances warrant examination of Covered California’s actions under federal privacy standards,” including the Health Insurance Portability and Accountability Act, or HIPAA, the letter continued. 

As part of the Affordable Care Act, states must offer health insurance through exchanges that allow residents to shop for and purchase health care plans. States can either let the federal government operate those exchanges or maintain their own, as California and 18 other states do. 

In California, millions of people rely on the exchange to find their coverage. But unbeknownst to those signing up for care, the exchange’s website used a tool called the “LinkedIn Insight Tag” that sent answers to potentially sensitive questions to the tech company. The tag is widely used for advertising purposes but LinkedIn explicitly prohibits using it to share health data.

In response to The Markup and CalMatters’ reporting, Covered California said the exchange had inadvertently shared the data and that it had instituted a review of practices. As the review happens, the organization said that it has paused its use of trackers entirely. 

The investigation immediately triggered an outcry. One House lawmaker asked in a letter to the Department of Health and Human Services whether the practice may have violated HIPAA. A proposed class-action lawsuit against LinkedIn and Google alleging privacy violations was also filed one day after the story was published.

Since then, a followup investigation by The Markup and CalMatters found four other state exchanges also sharing information with tech companies. The stories were produced as part of a series called Pixel Hunt, examining the unexpected ways websites share data.

A spokesperson for Covered California said they had received the letter and planned to respond by the committee’s deadline of July 1st. A spokesperson for LinkedIn declined to comment.

The lawmakers asked Covered California to provide answers and documents in response to several questions about the organization’s data privacy practices, as well as its use of web trackers generally. The questions included what data was sent to LinkedIn, how many people were affected, and how or whether those affected will be notified.

“Ensuring the confidentiality of health information is a foundational obligation for entities operating within the health insurance ecosystem,” the lawmakers wrote.