An analysis by congressional staffers revealed that Google, Twitter, Yahoo and Advertising.com are among the third parties receiving information from HealthCare.gov.
The revelation comes after the Associated Press reported Jan. 20 that commercial third parties had access to certain patient information. A group of eight House and Senate committees and subcommittees wrote a letter Jan. 30 to HHS Secretary Sylvia Mathews Burwell calling for immediate action on the website's security vulnerability.
"New and potentially more serious reports now further underscore why HealthCare.gov implementation failures cannot be simply overlooked — because they have real consequences for American consumers who visit HealthCare.gov," the letter read.
The information available to the third parties include visitors' names, location and pregnancy status, and would have been available long after the visit to the website ended because of the cookies the website uses that store data.
CMS defended the information sharing practice in a Jan. 24 blog post, saying it was using third-party tools to "do important things," but acknowledged that some of the complaints are warranted. The blog post said the administration would take further steps to ensure the safety of information through encryption. The committees and subcommittees remain unconvinced of the encryption's efficacy, writing in their letter, "It is not at all clear that this layer of protection is sufficient."
The letter included a list of questions for HHS, setting a response deadline of Feb. 13. The questions ask whether HHS or CMS knew the information had been shared, whether under HHS and CMS's authorization or not, whether the third parties paid the government for access to the information, an explanation of what the "third-party tools" it referred to were and a list of all the personnel involved in the ongoing HealthCare.gov security review.
HealthCare.gov is also under scrutiny for contracts and procurement failures. The Office of the Inspector Generaland the HHS released a report on Jan. 20 as well, highlighting several failures around the development and security of the website.