Why Were There So Many Third-Party Apps on HealthCare.gov, Anyway?

The large number of third-party applications and tools embedded in the background of HealthCare.gov that quietly collected some information about users remains baffling to cybersecurity experts and privacy advocates.

The Associated Press last month first reported on the hoard of third-party applications scooping up data about HealthCare.gov users -- including their age, income, ZIP code, whether they smoke and if they are pregnant.

The Centers for Medicare and Medicaid Services says third-party applications can provide helpful information about site visitors, although the practice has since been significantly curtailed.

But the sheer number of third parties that once operated on the site, including Facebook, Google, Twitter and scores of online advertisers, continues to raise eyebrows.

"The act of having, especially for a government website, that many entities in order to do something like retargeting -- tracking user preferences to serve up more relevant ads -- “to me is inexplicable,” said Michelle De Mooy, deputy director for consumer privacy at the privacy-conscious Center for Democracy and Technology think tank.

She testified Thursday before a House Science, Space and Technology subcommittee.

Think Tank: Privacy Policy Needs a Rewrite

De Mooy's group has recommended government developers build their own digital analytics tool instead of relying on a third-party software provider.  HealthCare.gov’s “very broad and very vague” privacy policy should also be updated, De Mooy said.

The site’s overall privacy policy basically deferred to the individual privacy policies of the third parties, she said. “So the onus was on the consumers or the visitors to the site to find out the policies, then, of the third parties, which is a little disingenuous considering that many people had no idea that these third parties were there in the first place.”

Morgan Wright, a private-sector cybersecurity consultant, said at one point there were as many as 50 third-party applications embedded on the site. That number was down to 11 the day of the hearing, he said.

For comparison, WhiteHouse.gov has four third-party apps running in the background and IRS.gov just two, he said.

"There's no doubt some level of measurement is needed,” Wright said, referring to Web analytics. “But 50 is digital overkill."

Despite being invited by committee leaders, no government officials testified at Thursday’s hearing, citing timing issues. The full committee chairman, Lamar Smith, R-Texas, sent letters Jan. 29 to CMS Administrator Marilyn Tavenner, Health and Human Services Secretary Sylvia Burwell and U.S. Chief Technology Officer Megan Smith notifying them of the upcoming hearing.

'Lazy Contractors' to Blame?

De Mooy speculated the excessive amount of third parties on the site may have been the result of the chaotic development of the site leading up to its troubled launch in the fall of 2013.

"To me, it is an example -- and this is just speculation -- of when you have multiple different contractors working on a project, this was sort of the easiest and kind of laziest way to design the site,” she said. “There are ways to do it in-house, and there are ways to do it in a more privacy-protective manner, but that was not done here."

When asked by Nextgov about the use of third-party apps on the site, CMS spokesman Aaron Albright declined to comment beyond a Jan. 20 blog post from Kevin Counihan, the CEO of the federal insurance marketplace.

In the post, Counihan said the site used third-party apps to “get visibility into when consumers are having difficulty, or understand when website traffic is building during busy periods.” In addition, the agency inked deals with third-party companies to provide digital advertising and website analytics, Counihan said.

There’s been no indication personal information collected on HealthCare.gov has been misused by any of the companies provided access to the site.

Third-party providers that track website performance and collect targeted information on users, it should be noted, are pretty much par for the course for most commercial websites.

"Data sharing is absolutely aggressive,” De Mooy testified. “In terms of protections, there are very few."

(Image via everything possible/Shutterstock.com)