On April 30, 2025, Representative Kevin Kiley (CA-3) formally requested that U.S. Secretary of Health and Human Services Robert F. Kennedy Jr. investigate serious privacy violations involving Covered California, the state's Affordable Care Act (ACA) health insurance exchange.
What happened
A forensic investigation revealed that Covered California had been using digital trackers to collect and transmit sensitive personal health information of tens of thousands of Californians to LinkedIn as part of a marketing campaign. The compromised data included details such as pregnancy status, prescription drug use, gender identity, and experiences of domestic violence. This action potentially contravenes HIPAA and other privacy laws.
In his letter, Rep. Kiley posed several critical questions:
- Did Covered California violate HIPAA or any other laws?
- Who authorized the use of these trackers?
- What controls exist to protect data privacy in California’s ACA exchange?
- How did Covered California evade these controls?
- How many people have been impacted?
- Have all of them been notified?
- Has any restitution been offered? If so, how much/what type?
- Why did Covered California use the trackers contrary to LinkedIn’s explicit guidance?
- How can something like this be prevented in the future?
In the know: The HHS scope over the state government
In situations like the Covered California privacy breach, the HHS has a unique and critical role that extends beyond what a state government can typically do. While state governments manage and operate programs like ACA exchanges, HHS is responsible for enforcing federal standards, especially those under HIPAA, that protect the privacy and security of individuals’ health information nationwide.
This means HHS has the authority to investigate whether federal privacy laws were violated, regardless of whether the violator is a private entity or a state-run program. Unlike a state agency, HHS can conduct independent, nationwide audits, impose federal civil monetary penalties, and require corrective action plans that are binding under federal law. Additionally, HHS can refer cases to the Department of Justice for criminal prosecution, if necessary. The state government, by contrast, may be limited by local political pressures, conflicts of interest, or lack of jurisdiction to enforce federal law.
What was said
Rep. Kiley emphasized the gravity of the situation, stating, “This is incredibly disturbing. It appears that the privacy rights of Californians were recklessly violated.” He urged Secretary Kennedy to conduct a thorough investigation to determine the extent of the breach, identify those responsible, and implement measures to prevent future occurrences.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is HHS?
The U.S. Department of Health and Human Services (HHS) is a federal agency responsible for protecting the health and well-being of all Americans by providing essential health and human services, supporting scientific research, and enforcing health regulations.
What are the main programs administered by HHS?
HHS administers programs such as Medicare, Medicaid, the Children’s Health Insurance Program (CHIP), public health initiatives, disease prevention, food and drug safety, and biomedical research through agencies like the CDC, FDA, and NIH.
How does HHS update the Federal Poverty Level (FPL) standards?
HHS updates the Federal Poverty Level standards annually, based on changes in the Consumer Price Index for All Urban Consumers (CPI-U), to determine eligibility for programs like Medicaid and CHIP.
Kirsten Peremore
