LONDON, ENGLAND - JANUARY 11: In this photo illustration, the LinkedIn app is seen on a mobile phone on January 11, 2021 in London, United Kingdom. (Photo by Edward Smith/Getty Images)
California – California’s health insurance exchange is facing mounting criticism and potential legal scrutiny following revelations that its website, CoveredCA.com, transmitted users’ sensitive personal and health data to LinkedIn, a Microsoft-owned platform, via embedded tracking tools.
The report, published Monday by nonprofit investigative outlet The Markup, found that Covered California used LinkedIn’s “Insight Tag” to collect and share information from visitors, including first names, the last four digits of Social Security numbers, pregnancy status, gender identity, prescription drug use, and even whether users had experienced domestic abuse. The data collection, active from February 2024 until early April, potentially affected thousands of Californians seeking health insurance coverage.
Covered California confirmed the breach in a statement released Monday, calling the transmission of sensitive data “inadvertent.” Officials said that all advertising-related tags had been deactivated “out of an abundance of caution.” The organization has launched a full review of its information security practices.
“This is incredibly disturbing,” California Representative Kevin Kiley posted on X (formerly Twitter). He urged Health Secretary Robert F. Kennedy Jr. to open an investigation into potential violations of the Health Insurance Portability and Accountability Act (HIPAA). So far, the Department of Health and Human Services has not issued a response.
Privacy experts say the breach raises serious concerns. Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, called the data collection “concerning and invasive,” especially given the expectation that health-related websites protect sensitive user information.
“People don’t expect that their health data will be collected and sent to a social media company,” Geoghegan said. “This is an exact example of why we need better protections.”
In a statement, LinkedIn said its advertising tools are not intended to be used on pages collecting sensitive data and that its Ads Agreement prohibits such practices. However, the site’s Insight Tag had been active across dozens of pages on CoveredCA.com, capturing not just page visits but detailed user inputs related to medical needs and identity.
According to CalMatters, which collaborated with The Markup on the investigation, Covered California had over 60 separate trackers on its site—far more than the average of three found on most other government websites. The trackers monitored users as they selected doctors, searched for hospitals, and disclosed personal details such as ethnicity, marital status, and frequency of surgeries.
Covered California, an independent agency created under the Affordable Care Act, has enrolled nearly 2 million people as of March and is credited with helping drop the state’s uninsured rate by over 10% since 2014.
Yet experts warn that this incident could undermine trust in the system. Past tracker-related privacy breaches at other institutions have led to lawsuits, federal investigations, and policy changes. LinkedIn is facing several class-action lawsuits in California over similar alleged data violations at medical scheduling websites.
As the investigation unfolds, Covered California has pledged transparency and promised to share additional findings. “We are committed to safeguarding the privacy of our consumers,” spokesperson Kelly Donohue said. “We are taking every step necessary to ensure this does not happen again.”
