How the state sent Californians’ personal health data to LinkedIn

Who knew what when.

Covered California Sent Sensitive Health Data to LinkedIn: What Job Seekers Need to Know

Investigation Uncovers Major Privacy Breach Affecting Millions of Californians

A recent investigation has revealed that Covered California, the state's health insurance marketplace, has been transmitting highly sensitive personal health information to LinkedIn without users' knowledge or consent, potentially affecting millions of Californians including job seekers.

The Investigation's Findings

According to forensic testing conducted by CalMatters and The Markup, the website coveredca.com was sending sensitive data to LinkedIn through tracking tools embedded in the site. The tracked information included responses to questions about whether visitors were blind, pregnant, or used a high number of prescription medications. The trackers also monitored and shared whether visitors identified as transgender or reported being possible victims of domestic abuse.

The website also transmitted detailed information to LinkedIn when visitors selected doctors to check if they were covered by a plan, including the doctors' specializations. The site even told LinkedIn if someone searched for a specific hospital.

Kelly Donohue, a spokesperson for Covered California, confirmed that data was sent to LinkedIn as part of an advertising campaign. Since being informed of the tracking, "all active advertising-related tags across our website have been turned off out of an abundance of caution," she added.

Scale and Timeline of the Issue

Visitors who filled out health information on the site may have had their data tracked for more than a year, according to Donohue, who said the LinkedIn campaign began in February 2024. CalMatters observed the trackers directly in February and March of 2025, and confirmed most ad trackers, including the Meta "pixel" tracker, as well as all third-party cookies, have been removed from the site as of April 21.

In March, Covered California announced that a record of nearly 2 million people were covered by health insurance through the program. About one in six Californians were at one point enrolled through Covered California. This means a significant number of residents may have had their personal health information exposed.

LinkedIn's Position

On its informational page about the Insight Tag, LinkedIn places the burden on websites that employ the tag not to use it in risky situations. The tag "should not be installed on web pages that collect or contain Sensitive Data," the page advises, including "pages offering specific health-related or financial services or products to consumers."

LinkedIn spokesperson Brionna Ruff said in an emailed statement, "Our Ads Agreement and documentation expressly prohibit customers from installing the Insight Tag on web pages that collect or contain sensitive data, including pages offering health-related services. We don't allow advertisers to target ads based on sensitive data or categories."

Legal Implications

This data sharing could potentially violate multiple privacy laws:

1.      California Confidentiality of Medical Information Act (CMIA): The CMIA is a California law that protects the privacy of individually identifiable medical information obtained by health care providers, health insurers, and their contractors. The penalties for violations can be severe, with fines of up to $2,500 per violation.

2.      Health Insurance Portability and Accountability Act (HIPAA): HIPAA establishes federal standards protecting sensitive health information from disclosure without patient's consent. HIPAA violations may result in civil monetary or criminal penalties.

Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, called it "concerning and invasive" for a health insurance website to be sending data that was "wholly irrelevant" to the uses of a for-profit company like LinkedIn.

"This is an exact example of why we need better protections," Geoghegan said. "This is sensitive health information that consumers expect to be protected and a lack of regulations is failing us."

Covered California's Response

In response to the findings, Covered California has "initiated a review of our websites and information security and privacy protocols to ensure that no analytics tools are impermissibly sharing sensitive consumer information." The organization added that they would "share additional findings as they become available, taking any necessary steps to safeguard the security and privacy of consumer data."

Covered California removed the trackers as CalMatters and The Markup reported on this issue. According to Kelly Donohue, the trackers were removed "due to a marketing agency transition" in early April.

What This Means for Job Seekers

This breach is particularly concerning for job seekers who may have utilized Covered California while between jobs or seeking employment with health benefits. Here's what you need to know:

1.      Potential Discrimination: Sensitive health information shared with LinkedIn could potentially be connected to your professional profile or made available to potential employers, though LinkedIn claims it doesn't allow targeting based on sensitive categories.

2.      Identity Protection: If you used Covered California between February 2024 and April 2025, be vigilant about monitoring your accounts for suspicious activity that might indicate your information has been misused.

3.      Legal Rights: Under the CMIA, any individual may bring an action against any person or entity that has negligently released confidential information or records, for either or both nominal damages of $1,000 and the amount of actual damages sustained by the patient.

Protecting Your Information

To better protect your personal health information online:

1.      Check your privacy settings: For Android users, go to Settings > Privacy > Ads. For Apple users, go to Settings > Privacy > Tracking and toggle "Allow apps to Request to Track" to the "off" position.

2.      Disable mobile advertising identifiers: These unique identifiers associated with your phone are used to track your online activity.

3.      Manage Wi-Fi and Bluetooth settings: Turn Bluetooth off on mobile devices when not in use and use it in "hidden" mode rather than "discoverable" mode.

HIPAA?

Based on the information available, this data sharing could potentially violate both HIPAA (Health Insurance Portability and Accountability Act) and California's own CMIA (Confidentiality of Medical Information Act). In California, healthcare organizations must comply with both federal HIPAA law and state-specific regulations, which sometimes have stricter requirements.

If HIPAA violations are determined to have occurred:

Potential penalties could include:

1. Civil penalties ranging from fines that could reach up to $50,000 per violation
2. In cases where violations are determined to be criminal in nature, penalties could involve imprisonment along with higher fines

Under the California CMIA specifically, healthcare providers who knowingly and willfully obtain, disclose, or use medical information in violation of the law may be liable for administrative fines of up to $2,500 per violation. Individuals may also bring civil actions against organizations that negligently release confidential information.

As for who might be punished, HIPAA enforcement is handled by the HHS Office for Civil Rights at the federal level. They would be responsible for investigating and potentially levying penalties against Covered California. In California, the California Department of Public Health enforces the CMIA.

In cases of HIPAA violations, penalties typically focus on the covered entity (in this case Covered California) rather than individuals, though directors, employees, or officers can sometimes be held personally liable under certain circumstances.

It's worth noting that the investigation is still ongoing, as Covered California has "initiated a review of our websites and information security and privacy protocols" and promised to "share additional findings as they become available." Legal determinations about violations and penalties would likely come after this internal review and any subsequent government investigations are completed.

Sources

1.      Lecher, Colin and Apodaca, Tomas. "How Covered California has been sending personal health data to LinkedIn." CalMatters. April 2025. https://calmatters.org/health/2025/04/covered-california-linkedin-tracker/

2.      "How California sent residents' personal health data to LinkedIn." The Markup. April 2025. https://themarkup.org/pixel-hunt/2025/04/28/how-california-sent-residents-personal-health-data-to-linkedin

3.      "California Confidentiality of Medical Information Act (CMIA)." The Lyon Firm. September 2022. https://thelyonfirm.com/class-action/data-privacy/cmia/

4.      "CMIA (California Confidentiality of Medical Information Act)." Accountable HQ. March 2025. https://www.accountablehq.com/post/california-confidentiality-of-medical-information-act

5.      "Health Insurance Portability and Accountability Act of 1996 (HIPAA)." CDC. September 2024. https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html

6.      "Attorney General Bonta Announces Investigative Sweep of Location Data Industry, Compliance with California Consumer Privacy Act." State of California Department of Justice. March 2025. https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-investigative-sweep-location-data-industry

7.      "Confidentiality of Medical Information Act." Consumer Federation of California. March 2016. https://consumercal.org/about-cfc/cfc-education-foundation/cfceducation-foundationyour-medical-privacy-rights/confidentiality-of-medical-information-act/   

8.   How the state sent Californians’ personal health data to LinkedIn