Cooper Quintin, a staff technologist with the Electronic Frontier Foundation, said the government's changes are "a great first step," but more needs to be done.
For example, the health site should disable third-party tracking for people who enable the "do not track" feature on their web browsers.
"HealthCare.gov should meet good privacy standards for all its users," he said. The foundation is a civil liberties group.
Quintin had verified the AP's initial findings and added more detail, showing that HealthCare.gov was sending personal health information to at least 14 third-part Internet domains.
Privacy advocates say the mere presence of connections to private companies on the government's website —even if they don't explicitly receive personal data— should be examined because of their ability to reveal sensitive information about a user.
Third-party outfits that track website performance are a standard part of e-commerce. It's a lucrative business, helping Google, Facebook and others tailor ads to customers' interests. Because your computer and mobile devices can be assigned an individual signature, profiles of Internet users can be pieced together, generating lists that have commercial value.
The third-parties embedded on HealthCare.gov can't see your name, birth date or Social Security number. But they may be able to correlate the fact that your computer accessed the government website with your other Internet activities.
Have you been researching a chronic illness like coronary artery blockage? Do you shop online for smoking-cessation aids? Are you investigating genetic markers for a certain type of breast cancer? Are you seeking help for financial problems, or for an addiction?
Google told the AP it doesn't allow its systems to target ads based on medical information.
Sens. Orrin Hatch, R-Utah, and Chuck Grassley, R-Iowa, called the situation "extremely concerning" for consumers. Grassley said Friday it's still unclear how consumers' information is being used and he wants a full explanation.
"People using HealthCare.gov should have the confidence that their information is secure and not being used for sales pitches by outside firms," he said in a statement.
Officials of the Health and Human Services Department had at first defended their information-sharing practices. There is no evidence that consumers' personal information was misused, they said.
HealthCare.gov is the online gateway to government-subsidized private insurance for people who lack coverage on the job. It serves 37 states, while the remaining states operate their own insurance markets. The privacy concerns surfaced just as the president was calling for stronger Internet safeguards for consumers, in his State of the Union speech.
The website was crippled by serious technical problems when it made its debut in the fall of 2013. This year it has worked much better, a marked contrast. The administration is aiming to have more than 9 million people signed up by Feb. 15, the last day of open enrollment.
But the privacy issues were a reminder that the website remains a work in progress, like the underlying law that created it.