When I first read the headline, I thought it was a boneheaded mistake of forgetting to disable tracking on certain web pages. But no:
>The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined.
Why is Covered California such an outlier? Why do they need 60 trackers? It's an independent agency that only deals in health insurance, so they obviously (and horribly) thought it was a good idea to send data about residents' health insurance to a third party.
I'm sure they did it for money. Those trackers weren't put there for nothing. At least government websites funneling citizen's data to Google by using Google Analytics on their sites can argue that they're just selling out taxpayers to get easy site metrics. When you've got 60 trackers on a single page though, somebody is stuffing their pockets with cash in exchange for user data.
Covered California, the state’s health insurance marketplace, leaked deeply sensitive health information and pregnancy status, domestic abuse disclosures, and prescription drug use to LinkedIn via embedded ad trackers.
It’s a pattern we’ve seen across government and private sectors: infrastructure designed for care is being exploited for behavioral targeting through advertising motions. The public doesn’t expect their health decisions to be fed into social ad networks, but the platforms already assume ownership of that data trail.
And of course, it’s all connected. The same companies monetizing behavioral profiling at scale are now running the most powerful generative AI systems. Microsoft, which owns LinkedIn, is also the key infrastructure partner of OpenAI. Meta's ad tools were present on these health sites too. Google’s trackers are everywhere else.
When you strip away the techno-mystique, what’s driving the AI and data arms race isn’t wisdom. It’s ego, power consolidation, and a pathological fear of being second.
And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
Would we be surprised to learn of 10x this level of leakage to Facebook? Based on the social tracking I've casually observed via browser tools when signing up to a variety of services, I'd be surprised if it's not. The weird thing here is that it's LinkedIn getting the data, not that it's being sent.
What we call "power" is not a property of a person, but a function of networks of relationships. A king is only "powerful" insofar as his authority is recognized. The moment his perceived authority is lost, the moment no one or few recognize it, is the moment he no longer has "power".
In other words, it only works if there is enough social support for it. It requires our complicity.
Most people with ASPD (what you call sociopathy) are not able to build these sorts of networks. They're impulsive. They are over-represented among the homeless. They are poor at planning or foreseeing the consequences of their actions. These are not exactly conducive to building these social networks. A sociopath is more the street thug or the gangbanger and less the CEO of a corporation.
What do you define as “class warfare?” Do you agree that the current status-quo hyper-consolidation of wealth our economy has fostered since act least 1972 is already an ongoing type of class warfare?
And finally, why do you think class warfare can’t get us anywhere?
People advocating for their interests isn't warfare.
I assure you there are virtually no rich people cackling, monocles and cigars in place, over the fate of the poor.
When the working class unionizes or vote for more rights, this isn't warfare - as long as it's fair-minded and pragmatic rather than idealogical. The same goes for the rich.
Regarding people with other backgrounds and interests as evil sociopaths / socialists is where the problem comes in.
Musk waving a chainsaw is one out of many hundreds of millions of rich people. And there's reason to believe that he believes he's doing something that's good for society in the long run, even if you disagree with him.
It's not often I come across someone who so clearly identifies as a temporarily embarrassed millionaire.
By definition, 1% of the world's population is 80MM people, so your "hundreds of millions" statement bares your ideological slant more than you may realize.
Your comment has two lines but manages to be very puzzling indeed.
"temporarily embarrassed millionaire" is a term that bares your ideological slant, which I hope and I'm sure you realize. But that you pose our ideological differences as a problem is bizarre. You do realize the world contains left- and right-wingers, and that probably 90% of the population is somewhere in the middle, right? And that this is OK? Or do you insist that everyone see things 100% as you do?
Also, who said only the 1% is rich? If I say it's the top 2% then we're well into the hundreds of millions, no? And what about all the rich people who were alive in the past, can we not use their attitudes for our discussion too? And what if we pick a numeric cutoff to be considered rich, or a qualitative one?
Empathy is intelligence, a void of empathy is lack of intelligence. Empathy is the only means to "put your self in someone else's shoes".
I would also classify narcissism as a void of intelligence, they cannot be honest with others and themselves. They always must be right and know everything when they are wrong and know nothing about the subject.
Lacking empathy and being a narcissist does not benefit society, only one's self interests. That is billionaire, not millionaire, Elon Musk. He is just selling the idea of "doing something good" to improve his self interests.
How many charities does he fund? How much of with wealth goes to studying the eradication of disease like cancer or parkinson's?
But don't worry, his statement from 2014 about full self driving cars are just around the corner and will help humanity reach it's peak. Just like traveling to Mars. /s
His actions actually harm society. Hungry children have reduced mental capabilities to advance in school and their futures. He choose to actively harm future generations and those he doesn't deem worthy.
I feel an intense hatred for him and his "colleagues."
And I want to do something about his atrocious actions.
But I'm afraid that the things I would do are as wrong as theirs.
I see it all the time on Reddit, on social media, and sometimes occasionally on this site when I was scrolling amongst it's various pages.
Some on the left claim "There's a reason for a 2nd amendment" or "Time to kill the rich" and more varying levels of obscene and violent rhetoric.
But there's a problem there, both sides are becoming more extreme, hateful, and violent; and from my perspective- perhaps others won't share mine- I see the world becoming more colder, becoming more cruel and hateful.
The world is losing its empathy, and as you wrote...
The world is becoming more stupid quite plainly.
And I want to do something about it, I try to research, to analyze, and I try to use what's left of my critical thinking skills that haven't already been eroded by social media and A.I.- But I just can't. I genuinely don't know what to do.
So here is my question, for others on this site:
What can we do about these outrageous individuals, pushing the U.S. and the world back generations and years of scientific advancements, how do we stop them?
And how do we stop the growing coldness that is growing slowly through the world?
Technology increases the size of the pie, but it is always possible to make the distribution of slices extremely unequal. More gdp and tech does not guarantee a better quality of life, as many countries today demonstrate.
> Tech progress and GDP growth has meant that the world's poor live better lives, decade after decade, for many centuries now.
Every single time during the leaps of technology that brought tech progress and GDP growth there needed to be some kind of workers' revolt or the threat of it to actualise poors living better lives. Every leap in progress of systemic quality of life for workers came through class war: revolts, general strikes, mass protest, organized labour, etc.
There was no workers' revolt in the 19th century US, but the lives of the poor across the board pulled scores of millions in poverty into the middle class and beyond.
The common thread of workers' lives improving is free markets, not revolts.
That is not accurate. There were many strikes in the industrial part of the US during the 1800's. That's how working conditions were improved in the mills. The free market would have crushed the working people had they not banded together and revolted to improve safety, reduce working hours, and increase pay.
The rest of the US was primarily agricultural, and did not have major strikes until later, but the improvement in the lives of those people who lived there was not because of free markets. Their lives improved because of the immense natural resources that were literally being given away free to people to cultivate and exploit, after the Native Americans were subjugated and removed.
> The rest of the US was primarily agricultural, and did not have major strikes until later, but the improvement in the lives of those people who lived there was not because of free markets. Their lives improved because of the immense natural resources that were literally being given away free to people to cultivate and exploit, after the Native Americans were subjugated and removed.
The same thing at the same time happened in Central and South America, yet prosperity and uplift never happened.
What's the difference? Free markets in the US. Unfree markets in Central and South America.
Japan, S Korea, Taiwan and Hong Kong have no natural resources, but when they turned to free markets, it's boom time for their economies.
That is not accurate again. Not only did North America have much more available and abundant natural resources than Central America and South America, the immigration to North America was much higher, so there was a more able labor force to cultivate and exploit the land. Your reductionist stance about free markets is misleading. A free market is only one component of why these places prospered, and may be the least important. Civil liberties and political stability, in addition to the natural abundance already mentioned, were probably much more responsible for the prosperity of North America. Likewise, with post-war Asia you miss the mark. For example, you overlook Japan's pre-war industrial development as well as their embrace of defeat after the war to development their economy and civil society. I'm not arguing for planned economies (quite the opposite), but the lack of nuance in your argument means that you miss the mark.
Do you really believe that lack of resources in S America meant lack of prosperity? It's still composed of third world countries.
> and may be the least important
It's the only common thread. I provided numerous examples that refute the requirements you listed.
> Japan
Japan's pre-war industrial economy was not an economic powerhouse. Their soldiers were very lightly equipped. They built a handful of capital ships, and when those where sunk they couldn't be replaced. Curtis LeMay resorted to area bombing of Japan because their heavy industry was a collection of homes with drill presses (LeMays' characterization) so there weren't concentrated industrial targets.
What's the excuse for S Korea, Taiwan, Hong Kong?
Have you noticed that when China gave up on collectivism and turned to free markets, suddenly they became a very prosperous world power?
Yes, people preferred to immigrate to the US. Why would that be? Because it is free market and hence a land of opportunity, unlike any place else at the time.
China has an enormous population, but did not become prosperous until, again, free markets.
There was the Homestead Strike in 1892, during which 9 people died. The Pinkerton Detective Agency, which "handled" the strike for Carnegie, is notorious for violently busting strikes in the 19th century US.
Err, "today" today? Today looks more like May 15 to me.
The 19th century closed on December 31, 1900, right? Do you disagree with that? That the 20th century began on 1/1/1901? Not in dispute?
I would say we're at 124.5 years after its close today, if you really mean today. I suppose if you want to be sloppy and round up we could achieve 125, but technically, we're still, like, 7.5 months away from December 31st.
I feel I need to repeat myself so you can properly read: I clearly mentioned both were required to bring forth better quality of life to workers. Without workers' revolt there is only ever increasing exploitation, every single perk the poorer have got after advances brought forward by free markets was through a revolt, a mass protest, general strike, without those there would still be slavery, legalised child labour, 16h workdays, etc.
Yet again you are lost in ideology, Walter, it gets very tiring after a while, you only got a hammer and you gotta nail everything with that hammer. It's comically myopic.
I could say the same about your arguments. Labor unions simply did not affect a high enough percentage of the population to attribute American prosperity to them.
> without those there would still be slavery
Slavery was abolished due to the Union Army, not unions. I've never heard any mention of labor unions being part of the abolishonist movement.
> legalised child labour
The abolition of child labor was not the result of labor unions.
> 16h workdays
Were only made possible by productivity improvements brought about by free markets.
> It's comically myopic
What's funny is all these learned academics who overlook the glaringly obvious and consistent correlation of free markets with prosperity, and keep coming up with other reasons for prosperity that aren't consistent at all.
Unionizing and voting for Saturdays off and the politics of the underdog hardly counts as "warfare".
It's when we regard one another as evil that we start to pursue ideology over pragmatism and end up cutting off our noses to spite our faces.
I object to my original parent comment's characterizing of everyone with any form of wealth and power as being a sociopath. It's not only untrue (which is disqualification enough), but this kind of attitude doesn't serve anyone.
> Unionizing and voting for Saturdays off and the politics of the underdog hardly counts as "warfare".
Yes, the workers' demands were reasonable, but they were met with warfare by the upper class who did not want to accept reasonable demands. The most extreme example is the Battle of Blair Mountain, but there are countless records of strike breakers beating and killing workers for striking and unionizing.
It was more of a middle class thing. It kind of worked kind of relatively well for them. When the French Kingdom was reestablished after Napoleon it was run by bankers and not nobles..
I cant tell if that is sarcasm or not. It was characterized by mass dysfunction and devolved into a dictatorship within 5 years, and 10 years of global war as France tried to fund populist mistakes by pillaging foreign countries, a million French deaths, and maybe 4 million foreign deaths, not to mention mass wounded, starvation, and hardship.
The class struggle is a perspective. It points to how blind rich people are to social issues, and how blind the poor are to economic issues. These two need the struggle, gently. Without it, there is either bloody revolution or cruel autocracy.
That's as simple as it gets. Many people get it wrong.
I am poor, and if I am blind to economic issues, I will be worse off. I need to be frugal. I need to keep track of the things I am paying. I need to ask myself before each purchase: do I really need it? And so forth... Sure, many poor people might still gamble away their money, or buy stuff they cannot afford, but humans are being humans.
I think publicly leveling accusations against other commenters downgrades the quality of the conversation—and it's against the forum rules too.
You can email the mods if it's something that can be moderated, but please keep it private! It makes things worse if this kind of accusation happens to be wrong. (Also makes things worse if it's right). Often it's singling out an actual, real person for unpleasant scrutiny they didn't expect or want.
> "Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data."
I understand your point. And I would agree if the comment would be ambiguous. But it's clearly AI. And I'm honestly really tired of AI slop. I can accept AI helping one person to understand something, or helping one to build an argument. But copying and pasting is a totally different thing.
>And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
Funnily enough, that's the line that made me suspicious it was AI. I've seen that structure and that sort of metaphor many times from ChatGPT. And it's not like GPT shies away from criticizing Altman (https://chatgpt.com/share/682623aa-eac0-8000-9fa3-d039580a01...). The rest of the comment doesn't set off any alarm bells for me.
For the last week, LinkedIn kept showing me ads for some specific dental procedure, near the top of my feed.
It's an optional follow-on procedure for the dental surgery procedure I had scheduled for this week.
I'm much more careful than most people about keeping Web search and browsing history private. But there's a chance that last week I browsed some question about the scheduled procedure, from my less-private Web browser, rather than from the Tor Browser that I usually use for anything sensitive that doesn't require identifying myself.
If I didn't make a Web OPSEC oops, it looks like maybe someone effectively gave private medical information to LinkedIn, of all places (an employment-matchmaking service, where employers are supposed to be conscientious of EEOC and similar concerns).
I understood it to be the reverse - they advertise on LinkedIn, and the trackers determine whether the users convert once they click through. Not great, but at least not as ill intentioned
Not sure I understand this, but "I" (coveredca) pay linkedin to place my ads, for which "I" have to use their libraries? That then scrape "my" clients/customer data to linkedin? for them to make more money selling that data?
Does this also mean that those pious popups about "Do not sell my information" are essentially vacuous?
While I wish it was a HIPAA violation, I am not sure it qualifies.
"The HIPAA standards apply to covered entities and business associates “where provided” by §160.102. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards"
https://www.hipaajournal.com/what-is-a-hipaa-violation/#what...
Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
HIPAA is not designed to protect consumer or patient privacy. That is a silly fiction that voters and constituents believe in order to prop up the legislation.
HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers. HIPAA is designed to make it maximally difficult to move PHI from one provider to the next. HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers. HIPAA is a stepping-stone to single-payer insurance.
HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care. No entity under HIPAA can legally divulge the slightest tidbit to your brother, your parents, or anyone who contacts them, unless an ROI is on file. Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
The other person who replied to you is much more accurate.
> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.
If I am a provider (and I am, or have been) of yours, I can get information from other providers on the care they've provided you. In fact, as appropriate, I can get it without your permission or consent (particularly useful in situations of pill-seeking, or mental health, but other situations too, that I encountered as a paramedic).
While many providers will get you to sign paperwork consenting to this, it is mostly CYA.
IANAL, but I work in healthcare, and a portion of my work is trying to ensure obligations under HIPAA are met.
> HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers.
No? I can practically quote the law directly here, though it is a bit dense:
> A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.
I.e., the privacy of your, the patient's PHI is protected.
That's a privacy regulation, and it is talking about and protecting the privacy of patient data, not provider's, etc.
> HIPAA is designed to make it maximally difficult to move PHI from one provider to the next.
It does no such thing. But [1].
> HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers.
Plaintiffs can divulge their own PHI directly to lawyers. Otherwise, no, lawyers don't get to access random people's PHI … but that's directly because the privacy of that PHI is protected. Further, one of the exceptions to HIPAA's protections is judicial order … so if plaintiffs can get a judge to agree, they can get a limited window into people's PHI. But … no, they don't just get to see?
> HIPAA is a stepping-stone to single-payer insurance.
… clearly not, or where is it?
> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.
People: you're always permitted to divulge whatever you want, to whomever you want, about your own PHI. But no, a doctor cannot divulge PHI to, e.g., an adult's parents without authorization. Again, this is to protect the patient's privacy: for example, so that a woman can keep something medically private from her husband if she chooses, or an (adult) patient can not have nosy parents learning things that are not their business, etc.
(Parents/guardians of non-adult children are treated differently, of course. There are other exceptions, and exceptions to the exceptions, but generally, they follow pretty common sense lines.)
Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.
And … you know this:
> unless an ROI is on file.
(An ROI is a "release of information", for others.) Yes, if you consent, then your PHI can be divulged. This is like the very definition of patient privacy.
> Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
This isn't true, either; I've had providers ask for ROIs, and nothing prevents a provider from taking initiative. (Perhaps you need a better provider.) Yes, to a large extent, you must own your own outcome in American healthcare, but I think this is more a function of other failing in HC than HIPAA.
Also, … yes, ROIs are scoped: they're only good for a specific instance of releasing information, i.e., they're not carte blanche to the provider to release your information to the world. Again, that's a privacy protection.
In the specific case covered by TFA, upstream is right: it is unfortunate that marketplaces might not be covered entities, and probably should be. This would be a common sense update to the law, so call your congressperson. Were they, HIPAA prohibits what occurred here, and other covered entities have been fined for exactly this type of error/behavior. I.e., HIPAA has prior examples of preventing exactly the badness here!
[1] I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent. I'd say this is more a function of providers not adhering to standards like they ought to; I've seen precious little use of FHIR (for others: standardized format for HC data) in my time in the industry, and the state of tech for inter-provider transfers is such that most providers probably do find it easier to just recollect the data they need. Heck, even within a provider, I've witnessed struggles to transfer data.
> Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.
Not even, it specifically allows providers who are actively caring for you to share, even without your consent. Straight from the horse's mouth:
"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."
> I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent.
It doesn't even really always require consent, but a provider relationship. Consent can grease the wheels though.
It's like you said, very little use of FHIR or still so so much HL7. And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.
Yeah. (I didn't include that as it seemed like the person above was writing specifically about provider-provider sharing, and while I know provider-BA sharing is fine in the course & context of administering care, I was less sure about provider-provider. But I think there are plenty of examples of this in my own HC, such as when I go for a blood draw and I get 8 bills. But again: HIPAA really doesn't throw too many surprising curve balls here.)
And yeah, lots of HL7v2. (for readers: HL7v2 is a protocol for medical data sharing. Predates FHIR, and is muuuuch uglier. FHIR is JSON/HTTP, albeit complicated, because medical. HL7v2 is custom binary (or I think there's an XML variant that I pray I never run into?). Not to be confused with the organization HL7.
HL7v2 is also the reason for a lot of having to deal with IPSec tunnels, something else I could stand to never see again.)
> And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.
Yep. Some unintentional (the standard is complex, people make mistakes), some intentional (the standard permits extension, and obviously custom extensions might not port).
And that's like every other standard an eng on HN is going to interact with, really.
Two reasons: The marketplace is not a covered entity (it doesn’t provide healthcare or process transactions), and the information is not a medical record (it’s typed in by the user, not generated by a healthcare provider).
However, California has its own more general privacy law about using medical information for marketing purposes.
So if I fill out my medical record form at the doctors office its not a medical record because me the user filled it out before handing it over the front desk?
Because you filled it out in the context of interacting with a medical provider, then gave it to them for their records, that is a medical record. (Just like a conversation with your doctor about your history would be.)
If you filled out the same form just to keep in your desk drawer for your family’s reference, it would not be. Also, if you ask for a copy of your record, as soon as you take personal possession of it, HIPAA no longer cares about it, because you aren’t a covered entity.
(Source: I founded a startup that spent a lot of money on attorneys to confirm this.)
Filling out forms at the doctor's office is one way they trick you into authorizing them to sell your data and no matter how careful you are about it you can still end up having your data sold. https://www.statnews.com/2023/04/07/medical-data-privacy-phr...
They published ("leaked" lol no -- it was all available through a polished portal) the name and address of all CCW and DROS registered firearm holders (including judges, DV victims, prosecutors, etc) and nothing happened.
Not if you use Chrome 135 or later, which is every browser now except Firefox/LibreWolf.
Federated Learning of Cohorts (FLOC) proved that cookies aren't actually necessary to track you with 98%+ precision, which, given how the internet works, is just 2 clicks.
The only way to stay anonymous is to stay on the radar. Sandbox your browser, have multiple physical-on-the-filesystem profiles and never mix business with pleasure or banking with youtube.
If you use Linux, create a Windows 11 VM to browse anonymously. Because Linux makes you already stick out as a sore thumb due to its TCP fingerprint.
Fingerprinting is an active area of research (both attack and defense), so the answer is, maybe, depending on just how unique your setup is. EFF has a nice demo that will try to fingerprint you and tell you how trackable you are based on non-cookie data: https://coveryourtracks.eff.org
Of course, new techniques are invented all the time, so that may not cover everything.
Unless they are targeting a specific individual for spying purposes, is there any benefit to doing such deep fingerprinting at the individual level, given that multiple people might use the same computer? It seems like knowing every single thing done at that computer may be too much information that might not have value but having more broad-based tracking patterns would be cheaper and more profitable, no?
Advertisers say that the better they can target advertisements, the more valuable they are. If so, then every bit of fingerprinting helps. Maybe multiple people use a computer which degrades it for those particular people, but then many other computers are used by only one person, so it's helpful in aggregate. I'm skeptical this actually works, given the atrocious quality of ads that I see when they sneak past my ad blocker, but that's what they say.
Is Covered California a government entity, for profit, non profit, other...? Not that it matters.
"Leak" is not the right term. By default a "website" is a 404. Throw some HTML on there and users can see something. Adding LinkedIn tracking is a deliberate choice. Calling the data "leaked" is like saying a raft sprung a "leak" when the person in the raft punctured it 60 times (number of trackers). The data was shared and pushed to LI, on purpose. They (Covered CA) installed LinkedIn's code on their site. The code did exactly what it was intended to do, send data to LinkedIn.
A leak is accidental, this was a choice by Covered CA.
The reality is that anyone in the medical field can put any kind of information in your medical records for any reason. Many motivations exist to compel this kind of behavior. Sometimes this can be in a part of your permanent record that they do not have to provide to you, even if you follow the rules and laws to request the information. Many exceptions exist under the disclosure laws.
Your information then can be freely shared with others but not given to you or give you any way to correct the false information in your record.
For what it's worth, in the United States at least, you have several permanent records that follow you everywhere you go. Your medical records work in a similar way to your former employers. In fact, employer confidentiality to other employers allows them to say almost anything about you and neither has to share it with you and you have no chance to have any kind of fair process to correct it.
Now add all the data brokers and the other bribery kind of situations and the whole system is basically broken and corrupt.
That is misinformation. HIPAA covered healthcare providers are legally required to give you copies of your health information upon request, and can only charge a nominal fee for this service (in practice it's usually free). Any patient who is blocked from accessing their own medical records should file a formal complaint with HHS; they have fined multiple provider organizations for violations.
My understanding is that people would have to intentionally click on the ad on LI to get access to the cookie that contains the sensitive info from the insurance signup flow (which was triggered by clicking the ad). Is that correct?
Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act. It only mentions as an aside that there are various related lawsuits.
Covered California's privacy policy explicitly says they follow HIPAA and that "Covered California will only share your personal information with government agencies, qualified health plans or contractors which help to fulfill a required Exchange function" and "your personal information is only used by or disclosed to those authorized to receive or view it" and "We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Policy".
Those privacy policy assertions have been in place since at least October 2020, per the Internet Archive wayback machine record. [2]
Companies outright lie in their privacy polices all the time. The legal risk in doing so is basically zero because nobody bothers to sue and it's impossible to show damages.
> Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act.
Being really clear, I despise this whole situation. But there's a lot of contortion to get to a government healthcare marketplace being consider a healthcare provider, which has a definition in the law.
People like to say "big tech sells their data." This is actually rare. Almost every other company you deal with willing gives it to big tech, and they just hoard it and run ads with it.
If you have a value sliding scale of "actually harmed", then almost no privacy breach harms anyone, right? Is the threshold for harm actually being scammed, physically hurt, reputation damaged?
Thankfully, those the law is not based on such thresholds.
When I first read the headline, I thought it was a boneheaded mistake of forgetting to disable tracking on certain web pages. But no:
>The Markup found that Covered California had more than 60 trackers on its site. Out of more than 200 of the government sites, the average number of trackers on the sites was three. Covered California had dozens more than any other website we examined.
Why is Covered California such an outlier? Why do they need 60 trackers? It's an independent agency that only deals in health insurance, so they obviously (and horribly) thought it was a good idea to send data about residents' health insurance to a third party.
I'm sure they did it for money. Those trackers weren't put there for nothing. At least government websites funneling citizen's data to Google by using Google Analytics on their sites can argue that they're just selling out taxpayers to get easy site metrics. When you've got 60 trackers on a single page though, somebody is stuffing their pockets with cash in exchange for user data.
I assume some of it was to show targeted ads on social media platforms. I'm sure an internal KPI is new customers, just like any e-commerce site.
Quick reminder that state of California takes a DNA sample from every newborn and sells it to third parties
Covered California, the state’s health insurance marketplace, leaked deeply sensitive health information and pregnancy status, domestic abuse disclosures, and prescription drug use to LinkedIn via embedded ad trackers.
It’s a pattern we’ve seen across government and private sectors: infrastructure designed for care is being exploited for behavioral targeting through advertising motions. The public doesn’t expect their health decisions to be fed into social ad networks, but the platforms already assume ownership of that data trail.
And of course, it’s all connected. The same companies monetizing behavioral profiling at scale are now running the most powerful generative AI systems. Microsoft, which owns LinkedIn, is also the key infrastructure partner of OpenAI. Meta's ad tools were present on these health sites too. Google’s trackers are everywhere else.
When you strip away the techno-mystique, what’s driving the AI and data arms race isn’t wisdom. It’s ego, power consolidation, and a pathological fear of being second.
And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
Would we be surprised to learn of 10x this level of leakage to Facebook? Based on the social tracking I've casually observed via browser tools when signing up to a variety of services, I'd be surprised if it's not. The weird thing here is that it's LinkedIn getting the data, not that it's being sent.
[dead]
[flagged]
What we call "power" is not a property of a person, but a function of networks of relationships. A king is only "powerful" insofar as his authority is recognized. The moment his perceived authority is lost, the moment no one or few recognize it, is the moment he no longer has "power".
In other words, it only works if there is enough social support for it. It requires our complicity.
Most people with ASPD (what you call sociopathy) are not able to build these sorts of networks. They're impulsive. They are over-represented among the homeless. They are poor at planning or foreseeing the consequences of their actions. These are not exactly conducive to building these social networks. A sociopath is more the street thug or the gangbanger and less the CEO of a corporation.
It's the idea that class warfare will get us anywhere good that's brutally naive at this point.
What do you define as “class warfare?” Do you agree that the current status-quo hyper-consolidation of wealth our economy has fostered since act least 1972 is already an ongoing type of class warfare?
And finally, why do you think class warfare can’t get us anywhere?
Class warfare is already happening from the top down.
I love it when enforcing laws and fairness is perceived as "class warfare."
I think class warfare will get the working class further than whatever is being done at the moment honestly.
...why? How?
Have you seen any history at all? This has never worked.
Cohesive, trusting societies get much further than ones that are at war with themselves. Even so, cohesion and trust are nice-to-haves.
Tech progress and GDP growth has meant that the world's poor live better lives, decade after decade, for many centuries now.
I don’t think he working class started the war so if the working class stops the class war doesn’t end.
People advocating for their interests isn't warfare.
I assure you there are virtually no rich people cackling, monocles and cigars in place, over the fate of the poor.
When the working class unionizes or vote for more rights, this isn't warfare - as long as it's fair-minded and pragmatic rather than idealogical. The same goes for the rich.
Regarding people with other backgrounds and interests as evil sociopaths / socialists is where the problem comes in.
> People advocating for their interests isn't warfare.
When those interests come at the expense/lives of other people, it is [1] [2].
> I assure you there are virtually no rich people cackling, monocles and cigars in place, over the fate of the poor.
Correct, their theatrics are even dumber than that [3].
---
[1] "House Republicans Push Forward Plan to Cut Taxes, Medicaid and Food Aid" - https://www.nytimes.com/2025/05/14/us/politics/congress-tax-...
[2] "Sanders on GOP Medicaid cuts: ‘Thousands and thousands of low-income and working people will die’" - https://thehill.com/homenews/senate/5302085-bernie-sanders-r...
[3] "Musk waves a chainsaw and charms conservatives talking up Trump’s cost-cutting efforts" - https://apnews.com/article/musk-chainsaw-trump-doge-6568e9e0...
Musk waving a chainsaw is one out of many hundreds of millions of rich people. And there's reason to believe that he believes he's doing something that's good for society in the long run, even if you disagree with him.
It's not often I come across someone who so clearly identifies as a temporarily embarrassed millionaire.
By definition, 1% of the world's population is 80MM people, so your "hundreds of millions" statement bares your ideological slant more than you may realize.
Your comment has two lines but manages to be very puzzling indeed.
"temporarily embarrassed millionaire" is a term that bares your ideological slant, which I hope and I'm sure you realize. But that you pose our ideological differences as a problem is bizarre. You do realize the world contains left- and right-wingers, and that probably 90% of the population is somewhere in the middle, right? And that this is OK? Or do you insist that everyone see things 100% as you do?
Also, who said only the 1% is rich? If I say it's the top 2% then we're well into the hundreds of millions, no? And what about all the rich people who were alive in the past, can we not use their attitudes for our discussion too? And what if we pick a numeric cutoff to be considered rich, or a qualitative one?
> that he believes he's doing something that's good
That seems entirely irrelevant? Pretty sure Napoleon, Stalin etc. did too.
> one out of many hundreds of millions
That’s like saying that the president of the US is one out of many millions of politicians..
Empathy is intelligence, a void of empathy is lack of intelligence. Empathy is the only means to "put your self in someone else's shoes".
I would also classify narcissism as a void of intelligence, they cannot be honest with others and themselves. They always must be right and know everything when they are wrong and know nothing about the subject.
Lacking empathy and being a narcissist does not benefit society, only one's self interests. That is billionaire, not millionaire, Elon Musk. He is just selling the idea of "doing something good" to improve his self interests.
How many charities does he fund? How much of with wealth goes to studying the eradication of disease like cancer or parkinson's?
But don't worry, his statement from 2014 about full self driving cars are just around the corner and will help humanity reach it's peak. Just like traveling to Mars. /s
His actions actually harm society. Hungry children have reduced mental capabilities to advance in school and their futures. He choose to actively harm future generations and those he doesn't deem worthy.
I feel an intense hatred for him and his "colleagues."
And I want to do something about his atrocious actions. But I'm afraid that the things I would do are as wrong as theirs.
I see it all the time on Reddit, on social media, and sometimes occasionally on this site when I was scrolling amongst it's various pages.
Some on the left claim "There's a reason for a 2nd amendment" or "Time to kill the rich" and more varying levels of obscene and violent rhetoric.
But there's a problem there, both sides are becoming more extreme, hateful, and violent; and from my perspective- perhaps others won't share mine- I see the world becoming more colder, becoming more cruel and hateful.
The world is losing its empathy, and as you wrote...
The world is becoming more stupid quite plainly.
And I want to do something about it, I try to research, to analyze, and I try to use what's left of my critical thinking skills that haven't already been eroded by social media and A.I.- But I just can't. I genuinely don't know what to do.
So here is my question, for others on this site:
What can we do about these outrageous individuals, pushing the U.S. and the world back generations and years of scientific advancements, how do we stop them?
And how do we stop the growing coldness that is growing slowly through the world?
You should maybe read about the history of the US labor movement to understand how and why we have good working conditions: https://www.pbs.org/wgbh/americanexperience/features/themine...
We have good working conditions mainly because we can now afford them.
Do you think poor people didn't get upset / rebellious in centuries and millennia past?
The difference now is that we have the GDP and tech to support much cushier lives for vast numbers of people.
Technology increases the size of the pie, but it is always possible to make the distribution of slices extremely unequal. More gdp and tech does not guarantee a better quality of life, as many countries today demonstrate.
Name such a country and then also explore that country's economic history over the past 200 years.
I think you'll be hard pressed to find one where life hasn't gotten vastly better.
Haiti
It has worked in many, many places.
> Tech progress and GDP growth has meant that the world's poor live better lives, decade after decade, for many centuries now.
Every single time during the leaps of technology that brought tech progress and GDP growth there needed to be some kind of workers' revolt or the threat of it to actualise poors living better lives. Every leap in progress of systemic quality of life for workers came through class war: revolts, general strikes, mass protest, organized labour, etc.
Why do you think now it's different?
There was no workers' revolt in the 19th century US, but the lives of the poor across the board pulled scores of millions in poverty into the middle class and beyond.
The common thread of workers' lives improving is free markets, not revolts.
That is not accurate. There were many strikes in the industrial part of the US during the 1800's. That's how working conditions were improved in the mills. The free market would have crushed the working people had they not banded together and revolted to improve safety, reduce working hours, and increase pay.
Wikipedia has articles on the larger actions like this: https://en.wikipedia.org/wiki/1835_Philadelphia_general_stri...
The rest of the US was primarily agricultural, and did not have major strikes until later, but the improvement in the lives of those people who lived there was not because of free markets. Their lives improved because of the immense natural resources that were literally being given away free to people to cultivate and exploit, after the Native Americans were subjugated and removed.
Strikes are not revolts.
> The rest of the US was primarily agricultural, and did not have major strikes until later, but the improvement in the lives of those people who lived there was not because of free markets. Their lives improved because of the immense natural resources that were literally being given away free to people to cultivate and exploit, after the Native Americans were subjugated and removed.
The same thing at the same time happened in Central and South America, yet prosperity and uplift never happened.
What's the difference? Free markets in the US. Unfree markets in Central and South America.
Japan, S Korea, Taiwan and Hong Kong have no natural resources, but when they turned to free markets, it's boom time for their economies.
That is not accurate again. Not only did North America have much more available and abundant natural resources than Central America and South America, the immigration to North America was much higher, so there was a more able labor force to cultivate and exploit the land. Your reductionist stance about free markets is misleading. A free market is only one component of why these places prospered, and may be the least important. Civil liberties and political stability, in addition to the natural abundance already mentioned, were probably much more responsible for the prosperity of North America. Likewise, with post-war Asia you miss the mark. For example, you overlook Japan's pre-war industrial development as well as their embrace of defeat after the war to development their economy and civil society. I'm not arguing for planned economies (quite the opposite), but the lack of nuance in your argument means that you miss the mark.
Do you really believe that lack of resources in S America meant lack of prosperity? It's still composed of third world countries.
> and may be the least important
It's the only common thread. I provided numerous examples that refute the requirements you listed.
> Japan
Japan's pre-war industrial economy was not an economic powerhouse. Their soldiers were very lightly equipped. They built a handful of capital ships, and when those where sunk they couldn't be replaced. Curtis LeMay resorted to area bombing of Japan because their heavy industry was a collection of homes with drill presses (LeMays' characterization) so there weren't concentrated industrial targets.
What's the excuse for S Korea, Taiwan, Hong Kong?
Have you noticed that when China gave up on collectivism and turned to free markets, suddenly they became a very prosperous world power?
Yes, people preferred to immigrate to the US. Why would that be? Because it is free market and hence a land of opportunity, unlike any place else at the time.
China has an enormous population, but did not become prosperous until, again, free markets.
There was the Homestead Strike in 1892, during which 9 people died. The Pinkerton Detective Agency, which "handled" the strike for Carnegie, is notorious for violently busting strikes in the 19th century US.
https://en.wikipedia.org/wiki/Homestead_strike
And how many workers did that affect vs the population of the country?
It was the beginning of a movement which affects all workers in the US today, so... 100%.
Today is 125 years after the close of the 19th century.
Err, "today" today? Today looks more like May 15 to me.
The 19th century closed on December 31, 1900, right? Do you disagree with that? That the 20th century began on 1/1/1901? Not in dispute?
I would say we're at 124.5 years after its close today, if you really mean today. I suppose if you want to be sloppy and round up we could achieve 125, but technically, we're still, like, 7.5 months away from December 31st.
There were quite a few slave revolts in the 19th century.
All the ones in the US were quite unsuccessful. Prosperity didn't happen in the slave states, either.
> The common thread of workers' lives improving is free markets, not revolts.
The common thread is both, not one or the other.
How did that French Revolution work out? The Communist revolution in Russia? The Cuban revolution?
Free markets always result in prosperity. Worker revolts never have.
I feel I need to repeat myself so you can properly read: I clearly mentioned both were required to bring forth better quality of life to workers. Without workers' revolt there is only ever increasing exploitation, every single perk the poorer have got after advances brought forward by free markets was through a revolt, a mass protest, general strike, without those there would still be slavery, legalised child labour, 16h workdays, etc.
Yet again you are lost in ideology, Walter, it gets very tiring after a while, you only got a hammer and you gotta nail everything with that hammer. It's comically myopic.
> Yet again you are lost in ideology
I could say the same about your arguments. Labor unions simply did not affect a high enough percentage of the population to attribute American prosperity to them.
> without those there would still be slavery
Slavery was abolished due to the Union Army, not unions. I've never heard any mention of labor unions being part of the abolishonist movement.
> legalised child labour
The abolition of child labor was not the result of labor unions.
> 16h workdays
Were only made possible by productivity improvements brought about by free markets.
> It's comically myopic
What's funny is all these learned academics who overlook the glaringly obvious and consistent correlation of free markets with prosperity, and keep coming up with other reasons for prosperity that aren't consistent at all.
There were plenty of worker revolts in the 19th century which laid the groundwork for the modern labor movement.
https://www.pbs.org/wgbh/americanexperience/features/themine...
The overwhelming majority of workers in the 19th century were not part of unions, yet they moved into the middle class anyway.
The war has never stopped https://en.wikipedia.org/wiki/Union_violence_in_the_United_S...
Unionizing and voting for Saturdays off and the politics of the underdog hardly counts as "warfare".
It's when we regard one another as evil that we start to pursue ideology over pragmatism and end up cutting off our noses to spite our faces.
I object to my original parent comment's characterizing of everyone with any form of wealth and power as being a sociopath. It's not only untrue (which is disqualification enough), but this kind of attitude doesn't serve anyone.
> Unionizing and voting for Saturdays off and the politics of the underdog hardly counts as "warfare".
Yes, the workers' demands were reasonable, but they were met with warfare by the upper class who did not want to accept reasonable demands. The most extreme example is the Battle of Blair Mountain, but there are countless records of strike breakers beating and killing workers for striking and unionizing.
Cohesive trusting societies are borne out of the struggle to dethrone oligarchs and lords.
[flagged]
French revolution worked pretty well for the working class
It was more of a middle class thing. It kind of worked kind of relatively well for them. When the French Kingdom was reestablished after Napoleon it was run by bankers and not nobles..
I cant tell if that is sarcasm or not. It was characterized by mass dysfunction and devolved into a dictatorship within 5 years, and 10 years of global war as France tried to fund populist mistakes by pillaging foreign countries, a million French deaths, and maybe 4 million foreign deaths, not to mention mass wounded, starvation, and hardship.
And by the end of all that, they had a king again.
Their efforts were all for nothing.
Warfare is dumb.
The class struggle is a perspective. It points to how blind rich people are to social issues, and how blind the poor are to economic issues. These two need the struggle, gently. Without it, there is either bloody revolution or cruel autocracy.
That's as simple as it gets. Many people get it wrong.
I assure you that poor people are not universally blind to economic issues. lol.
That's the least important part of my statement.
There is a struggle between those who have power and those who don't. This displacement creates blind spots, and also vantage points.
poor people can't afford to be blind to economic issues. Rich people have more leeway there.
Do you consider yourself blind to economic issues? Rich or poor? Straight question.
I am poor, and if I am blind to economic issues, I will be worse off. I need to be frugal. I need to keep track of the things I am paying. I need to ask myself before each purchase: do I really need it? And so forth... Sure, many poor people might still gamble away their money, or buy stuff they cannot afford, but humans are being humans.
[flagged]
[flagged]
I think publicly leveling accusations against other commenters downgrades the quality of the conversation—and it's against the forum rules too.
You can email the mods if it's something that can be moderated, but please keep it private! It makes things worse if this kind of accusation happens to be wrong. (Also makes things worse if it's right). Often it's singling out an actual, real person for unpleasant scrutiny they didn't expect or want.
"Remember the human."
Which rule did I break, exactly? I just stated a fact.
We are asked not to, like,
> "Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data."
I understand your point. And I would agree if the comment would be ambiguous. But it's clearly AI. And I'm honestly really tired of AI slop. I can accept AI helping one person to understand something, or helping one to build an argument. But copying and pasting is a totally different thing.
>And Sam Altman? He’s not stupid. But brilliance without wisdom is just charisma in a predator suit. Why do you think all these services tie directly into AI?
I don't think AI would come up with this line
Funnily enough, that's the line that made me suspicious it was AI. I've seen that structure and that sort of metaphor many times from ChatGPT. And it's not like GPT shies away from criticizing Altman (https://chatgpt.com/share/682623aa-eac0-8000-9fa3-d039580a01...). The rest of the comment doesn't set off any alarm bells for me.
Same, I've read enough ChatGPT prose to recognize it. The rest of the comment has also small cues that point to AI.
[flagged]
For the last week, LinkedIn kept showing me ads for some specific dental procedure, near the top of my feed.
It's an optional follow-on procedure for the dental surgery procedure I had scheduled for this week.
I'm much more careful than most people about keeping Web search and browsing history private. But there's a chance that last week I browsed some question about the scheduled procedure, from my less-private Web browser, rather than from the Tor Browser that I usually use for anything sensitive that doesn't require identifying myself.
If I didn't make a Web OPSEC oops, it looks like maybe someone effectively gave private medical information to LinkedIn, of all places (an employment-matchmaking service, where employers are supposed to be conscientious of EEOC and similar concerns).
Why does a state have ad tracking data? Are they really that hard up for cash that they need to have ad campaigns for people selecting insurance?
I understood it to be the reverse - they advertise on LinkedIn, and the trackers determine whether the users convert once they click through. Not great, but at least not as ill intentioned
Not sure I understand this, but "I" (coveredca) pay linkedin to place my ads, for which "I" have to use their libraries? That then scrape "my" clients/customer data to linkedin? for them to make more money selling that data?
Does this also mean that those pious popups about "Do not sell my information" are essentially vacuous?
It could be insiders getting kickbacks.
[flagged]
Here's some context for people who are curious about CA DMV data sales:
https://www.thedrive.com/news/35457/why-is-the-california-dm...
How is this not a HIPAA violation??
While I wish it was a HIPAA violation, I am not sure it qualifies. "The HIPAA standards apply to covered entities and business associates “where provided” by §160.102. Covered entities are defined as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit PHI in connection with transactions for which HHS has adopted standards" https://www.hipaajournal.com/what-is-a-hipaa-violation/#what...
Covered California is a health insurance marketplace. It is not an Insurance Carrier or an Insurance Clearing house. Perhaps they're guilty of something else?
However, it may violate the state's Electronic Communication Privacy Act.
https://calmatters.org/health/2025/05/covered-california-lin...
the state will do an investigation on itself and find no wrongdoing
Sounds like HIPAA needs some adjustments made to cover marketplaces.
HIPAA is not designed to protect consumer or patient privacy. That is a silly fiction that voters and constituents believe in order to prop up the legislation.
HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers. HIPAA is designed to make it maximally difficult to move PHI from one provider to the next. HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers. HIPAA is a stepping-stone to single-payer insurance.
HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care. No entity under HIPAA can legally divulge the slightest tidbit to your brother, your parents, or anyone who contacts them, unless an ROI is on file. Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
The other person who replied to you is much more accurate.
> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.
If I am a provider (and I am, or have been) of yours, I can get information from other providers on the care they've provided you. In fact, as appropriate, I can get it without your permission or consent (particularly useful in situations of pill-seeking, or mental health, but other situations too, that I encountered as a paramedic).
While many providers will get you to sign paperwork consenting to this, it is mostly CYA.
IANAL, but I work in healthcare, and a portion of my work is trying to ensure obligations under HIPAA are met.
> HIPAA is designed to protect the privacy of providers, clinics, hospitals, and insurance carriers.
No? I can practically quote the law directly here, though it is a bit dense:
> A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.
I.e., the privacy of your, the patient's PHI is protected.
That's a privacy regulation, and it is talking about and protecting the privacy of patient data, not provider's, etc.
> HIPAA is designed to make it maximally difficult to move PHI from one provider to the next.
It does no such thing. But [1].
> HIPAA is designed to make it maximally difficult for plaintiff attorneys to discover incriminating malpractice evidence when suing those providers.
Plaintiffs can divulge their own PHI directly to lawyers. Otherwise, no, lawyers don't get to access random people's PHI … but that's directly because the privacy of that PHI is protected. Further, one of the exceptions to HIPAA's protections is judicial order … so if plaintiffs can get a judge to agree, they can get a limited window into people's PHI. But … no, they don't just get to see?
> HIPAA is a stepping-stone to single-payer insurance.
… clearly not, or where is it?
> HIPAA also makes it maximally difficult to involve other people, providers, and entities in your health care.
People: you're always permitted to divulge whatever you want, to whomever you want, about your own PHI. But no, a doctor cannot divulge PHI to, e.g., an adult's parents without authorization. Again, this is to protect the patient's privacy: for example, so that a woman can keep something medically private from her husband if she chooses, or an (adult) patient can not have nosy parents learning things that are not their business, etc.
(Parents/guardians of non-adult children are treated differently, of course. There are other exceptions, and exceptions to the exceptions, but generally, they follow pretty common sense lines.)
Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.
And … you know this:
> unless an ROI is on file.
(An ROI is a "release of information", for others.) Yes, if you consent, then your PHI can be divulged. This is like the very definition of patient privacy.
> Those ROIs are a thing you have to go pursue on your own -- they are never offered or suggested by the provider -- and those ROIs will expire at the drop of a hat -- and you never know if an ROI is valid until it is tested at the point of that entity requesting information.
This isn't true, either; I've had providers ask for ROIs, and nothing prevents a provider from taking initiative. (Perhaps you need a better provider.) Yes, to a large extent, you must own your own outcome in American healthcare, but I think this is more a function of other failing in HC than HIPAA.
Also, … yes, ROIs are scoped: they're only good for a specific instance of releasing information, i.e., they're not carte blanche to the provider to release your information to the world. Again, that's a privacy protection.
In the specific case covered by TFA, upstream is right: it is unfortunate that marketplaces might not be covered entities, and probably should be. This would be a common sense update to the law, so call your congressperson. Were they, HIPAA prohibits what occurred here, and other covered entities have been fined for exactly this type of error/behavior. I.e., HIPAA has prior examples of preventing exactly the badness here!
[1] I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent. I'd say this is more a function of providers not adhering to standards like they ought to; I've seen precious little use of FHIR (for others: standardized format for HC data) in my time in the industry, and the state of tech for inter-provider transfers is such that most providers probably do find it easier to just recollect the data they need. Heck, even within a provider, I've witnessed struggles to transfer data.
> Providers, entities: again, HIPAA only prevents this without your consent, and that's basically what privacy is.
Not even, it specifically allows providers who are actively caring for you to share, even without your consent. Straight from the horse's mouth:
"Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization? Answer: Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization."
Source: https://www.hhs.gov/hipaa/for-professionals/faq/481/does-hip...
> I empathize that moving data between providers is not easy, but this is hardly due to HIPAA, which permits such, assuming patient consent.
It doesn't even really always require consent, but a provider relationship. Consent can grease the wheels though.
It's like you said, very little use of FHIR or still so so much HL7. And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.
Yeah. (I didn't include that as it seemed like the person above was writing specifically about provider-provider sharing, and while I know provider-BA sharing is fine in the course & context of administering care, I was less sure about provider-provider. But I think there are plenty of examples of this in my own HC, such as when I go for a blood draw and I get 8 bills. But again: HIPAA really doesn't throw too many surprising curve balls here.)
And yeah, lots of HL7v2. (for readers: HL7v2 is a protocol for medical data sharing. Predates FHIR, and is muuuuch uglier. FHIR is JSON/HTTP, albeit complicated, because medical. HL7v2 is custom binary (or I think there's an XML variant that I pray I never run into?). Not to be confused with the organization HL7.
HL7v2 is also the reason for a lot of having to deal with IPSec tunnels, something else I could stand to never see again.)
> And anyone who has dealt with those standards knows that just because EHR vendor A says they support them, and EHR vendor B does, doesn't mean data sharing will be smooth.
Yep. Some unintentional (the standard is complex, people make mistakes), some intentional (the standard permits extension, and obviously custom extensions might not port).
And that's like every other standard an eng on HN is going to interact with, really.
Two reasons: The marketplace is not a covered entity (it doesn’t provide healthcare or process transactions), and the information is not a medical record (it’s typed in by the user, not generated by a healthcare provider).
However, California has its own more general privacy law about using medical information for marketing purposes.
So if I fill out my medical record form at the doctors office its not a medical record because me the user filled it out before handing it over the front desk?
Because you filled it out in the context of interacting with a medical provider, then gave it to them for their records, that is a medical record. (Just like a conversation with your doctor about your history would be.)
If you filled out the same form just to keep in your desk drawer for your family’s reference, it would not be. Also, if you ask for a copy of your record, as soon as you take personal possession of it, HIPAA no longer cares about it, because you aren’t a covered entity.
(Source: I founded a startup that spent a lot of money on attorneys to confirm this.)
Filling out forms at the doctor's office is one way they trick you into authorizing them to sell your data and no matter how careful you are about it you can still end up having your data sold. https://www.statnews.com/2023/04/07/medical-data-privacy-phr...
Who says it's not? It looks like a HIPAA violation to me.
[dead]
California will investigate and find no wrong. Also, LinkedIn==Microsoft
They published ("leaked" lol no -- it was all available through a polished portal) the name and address of all CCW and DROS registered firearm holders (including judges, DV victims, prosecutors, etc) and nothing happened.
They use your information for political warfare.
If you routinely clear your cookies, does that protect you from long term tracking?
Not if you use Chrome 135 or later, which is every browser now except Firefox/LibreWolf.
Federated Learning of Cohorts (FLOC) proved that cookies aren't actually necessary to track you with 98%+ precision, which, given how the internet works, is just 2 clicks.
The only way to stay anonymous is to stay on the radar. Sandbox your browser, have multiple physical-on-the-filesystem profiles and never mix business with pleasure or banking with youtube.
If you use Linux, create a Windows 11 VM to browse anonymously. Because Linux makes you already stick out as a sore thumb due to its TCP fingerprint.
Won't VM be detected by GPU name which is exposed by WebGL and similar technologies? What computer has a GPU with a name like "QEMU GPU"?
If you do that, at least change GPU name to NVIDIA or something.
Fingerprinting is an active area of research (both attack and defense), so the answer is, maybe, depending on just how unique your setup is. EFF has a nice demo that will try to fingerprint you and tell you how trackable you are based on non-cookie data: https://coveryourtracks.eff.org
Of course, new techniques are invented all the time, so that may not cover everything.
Unless they are targeting a specific individual for spying purposes, is there any benefit to doing such deep fingerprinting at the individual level, given that multiple people might use the same computer? It seems like knowing every single thing done at that computer may be too much information that might not have value but having more broad-based tracking patterns would be cheaper and more profitable, no?
Advertisers say that the better they can target advertisements, the more valuable they are. If so, then every bit of fingerprinting helps. Maybe multiple people use a computer which degrades it for those particular people, but then many other computers are used by only one person, so it's helpful in aggregate. I'm skeptical this actually works, given the atrocious quality of ads that I see when they sneak past my ad blocker, but that's what they say.
Is Covered California a government entity, for profit, non profit, other...? Not that it matters.
"Leak" is not the right term. By default a "website" is a 404. Throw some HTML on there and users can see something. Adding LinkedIn tracking is a deliberate choice. Calling the data "leaked" is like saying a raft sprung a "leak" when the person in the raft punctured it 60 times (number of trackers). The data was shared and pushed to LI, on purpose. They (Covered CA) installed LinkedIn's code on their site. The code did exactly what it was intended to do, send data to LinkedIn.
A leak is accidental, this was a choice by Covered CA.
The reality is that anyone in the medical field can put any kind of information in your medical records for any reason. Many motivations exist to compel this kind of behavior. Sometimes this can be in a part of your permanent record that they do not have to provide to you, even if you follow the rules and laws to request the information. Many exceptions exist under the disclosure laws.
Your information then can be freely shared with others but not given to you or give you any way to correct the false information in your record.
For what it's worth, in the United States at least, you have several permanent records that follow you everywhere you go. Your medical records work in a similar way to your former employers. In fact, employer confidentiality to other employers allows them to say almost anything about you and neither has to share it with you and you have no chance to have any kind of fair process to correct it.
Now add all the data brokers and the other bribery kind of situations and the whole system is basically broken and corrupt.
That is misinformation. HIPAA covered healthcare providers are legally required to give you copies of your health information upon request, and can only charge a nominal fee for this service (in practice it's usually free). Any patient who is blocked from accessing their own medical records should file a formal complaint with HHS; they have fined multiple provider organizations for violations.
https://www.hhs.gov/hipaa/for-individuals/guidance-materials...
https://www.hhs.gov/hipaa/for-professionals/compliance-enfor...
My understanding is that people would have to intentionally click on the ad on LI to get access to the cookie that contains the sensitive info from the insurance signup flow (which was triggered by clicking the ad). Is that correct?
Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act. It only mentions as an aside that there are various related lawsuits.
Covered California's privacy policy explicitly says they follow HIPAA and that "Covered California will only share your personal information with government agencies, qualified health plans or contractors which help to fulfill a required Exchange function" and "your personal information is only used by or disclosed to those authorized to receive or view it" and "We will not knowingly disclose your personal information to a third party, except as provided in this Privacy Policy".
Those privacy policy assertions have been in place since at least October 2020, per the Internet Archive wayback machine record. [2]
[1] https://www.coveredca.com/pdfs/privacy/CC_Privacy_Policy.pdf
[2] https://web.archive.org/web/20201024150356/https://www.cover...
Companies outright lie in their privacy polices all the time. The legal risk in doing so is basically zero because nobody bothers to sue and it's impossible to show damages.
> Amazing to me that an article like this doesn't have a big section discussing how a provider sharing personal health data without permission is blatantly illegal under the HIPAA act.
Being really clear, I despise this whole situation. But there's a lot of contortion to get to a government healthcare marketplace being consider a healthcare provider, which has a definition in the law.
People like to say "big tech sells their data." This is actually rare. Almost every other company you deal with willing gives it to big tech, and they just hoard it and run ads with it.
That's nothing. The Federal governemnt sent residents' personal health data to xAI.
Source?
Bright to you by the state reinventing gdpr for the American audience another 80IQ moment which will be lauded by some as a brave new world...
Get your act together and either resign or stop handling public data let alone the sensitive stuff. I'm serious, draft that letter now.
[dead]
[flagged]
Even with the absolute incompetence shown in this article (Meta or Google would never make a mistake like this), no one has been actually harmed.
If you have a value sliding scale of "actually harmed", then almost no privacy breach harms anyone, right? Is the threshold for harm actually being scammed, physically hurt, reputation damaged?
Thankfully, those the law is not based on such thresholds.
Relative to the actual harms caused, HN freaks about this kind of stuff too much.