California sent residents' personal health data to LinkedIn

Original Article ↗ Hacker News Discussion ↗

What Happened and Why It’s Disturbing

  • Covered California embedded over 60 third-party trackers, sending sensitive data (e.g., pregnancy status, domestic abuse, prescriptions) to LinkedIn and other ad platforms.
  • Commenters stress this was not an accidental “leak” but a deliberate implementation of tracking code that behaved exactly as designed.
  • Many see this as part of a broader pattern: systems built for public services being repurposed for behavioral advertising and data monetization.

Is It a HIPAA Violation?

  • Some insist it’s an obvious HIPAA breach: a health-related entity sharing personal health info without consent.
  • Others argue the marketplace likely is not a HIPAA “covered entity” (not a provider, plan, or clearinghouse) and the data entered by users might not legally qualify as PHI in this context.
  • There’s debate over HIPAA’s intent: one view claims it mainly protects institutions and hinders data sharing; others rebut with direct citations that HIPAA’s core is protection of patient data, with explicit allowances for provider-to-provider sharing for treatment.

Other Legal and Policy Angles

  • Several point to California-specific laws restricting use of medical information for marketing and mention possible violations of the state Electronic Communications Privacy Act.
  • Covered California’s own privacy policy promises HIPAA-level protections and claims data is only shared with government agencies, plans, or contractors—commenters say sending it to LinkedIn flatly contradicts this.
  • Some note that companies routinely misrepresent practices in privacy policies with little legal consequence because direct damages are hard to prove.

Trackers, Ads, and Motives

  • 60+ trackers versus a typical ~3 on comparable government sites leads to speculation about internal incentives, KPIs around “new customers,” or even kickbacks.
  • Commenters discuss how conversion tracking likely works: ads on LinkedIn drive users to Covered California, and embedded code reports back which users “converted.”
  • One user reports LinkedIn showing highly specific medical ads matching a recent procedure, raising suspicion about cross-system health data flow.

Broader Surveillance & Harm Debate

  • Technical discussion covers cookies vs. fingerprinting, Chrome’s newer cohort-style tracking, and compartmentalization/VMs as defenses.
  • Some argue the real problem isn’t “big tech selling data” but everyone else handing it to them via embedded scripts.
  • Disagreement on harm: one camp calls this overblown since no concrete victims are identified; others counter that privacy invasions are harm in themselves and that law doesn’t require demonstrable downstream damage.