US Healthcare Marketplaces Under Fire for Data Sharing with Advertisers
TL;DR
- Almost all 20 state-run U.S. health insurance marketplaces have been sharing sensitive resident data—including citizenship status, race, sex, and ZIP codes—with major tech companies like Google, Meta, TikTok, LinkedIn, and Snap through advertising pixel trackers.
- Virginia and Washington, D.C. have already removed tracking tools from their exchange websites after Bloomberg's investigation revealed the unauthorized data sharing, with other states taking similar action.
- The practice exploits misconfigured pixel trackers commonly used for web analytics, exposing millions of Americans who purchased insurance through state exchanges to privacy violations with no clear consent or awareness.
The Investigation That Exposed a Privacy Crisis
A comprehensive investigation by Bloomberg has uncovered a troubling reality: nearly all 20 state-run health insurance marketplaces in the U.S. have been quietly sharing residents' sensitive personal information with advertising and technology giants. The investigation reveals that pixel-sized trackers embedded on these government websites have been collecting and transmitting data about visitors to companies including Google, LinkedIn, Meta, Snap, TikTok, and Nextdoor—often without users' knowledge or explicit consent.
The scope of this breach is staggering. More than seven million Americans purchased health insurance through state exchanges in 2026, meaning millions of people may have had their personal information shared with corporate advertising networks while simply trying to enroll in health coverage.
What Data Is Being Shared?
The types of information being transmitted to tech companies are deeply personal and sensitive. New York's health insurance exchange shared application information with tech companies about whether residents had incarcerated family members. Washington, D.C.'s exchange transmitted data about residents' sex and race to multiple companies, including TikTok, though some racial categories were masked while others were not.
Additional data being collected and shared includes ZIP codes, citizenship status, country identifiers, email addresses, and phone numbers. This information is being harvested at the moment when Americans are most vulnerable—when they're seeking essential healthcare coverage and providing detailed personal information as part of the application process.
How the Data Leaks Occur
The culprit behind these privacy breaches is a common digital advertising tool: pixel trackers. These tiny, invisible pieces of code are typically placed on websites for legitimate purposes like web analytics and bug identification. However, when misconfigured or placed on websites containing sensitive content—such as healthcare data—these trackers can inadvertently collect and transmit personal information to third parties.
The problem is systemic. These trackers allow website owners to collect information about visitors for advertising purposes, but healthcare exchanges should never have been using them in this manner. The presence of advertising pixels on government health insurance websites represents a fundamental misuse of tracking technology in a context where privacy should be paramount.
States Take Action to Halt the Practice
Following Bloomberg's report, several states have moved quickly to address the problem. Washington, D.C. paused its rollout of the TikTok tracker after the investigation revealed data sharing. Virginia removed the Meta tracker from its website after discovering it was transmitting residents' ZIP codes to the tech giant.
These actions represent important first steps, but they also underscore how widespread the problem has become. The fact that multiple states needed to take corrective action suggests that privacy protections were inadequate from the start, and that oversight of these government platforms has been insufficient.
A Pattern of Exploitation in Health Data
This isn't an isolated incident. The healthcare sector has a troubling history of data misuse. Telehealth startups and major healthcare companies have previously been forced to notify millions of people that they inadvertently collected and shared health information with tech companies whose business models depend on monetizing consumer data for advertising purposes.
The difference with state healthcare exchanges is the scale and the trust involved. These are government-operated platforms designed to help Americans comply with the Affordable Care Act. Citizens reasonably expect that information shared on such official channels would be protected, not sold to advertisers.
The Broader Health Data Monetization Problem
Beyond state exchanges, the exploitation of health data has become a widespread industry practice. Health app data commands significantly higher prices in advertising markets than general demographic information because it enables precise targeting based on medical conditions and life circumstances. Pharmaceutical companies, health insurance providers, and wellness product marketers pay premium rates for access to audiences segmented by specific health concerns.
Mental health apps share emotional state data with an average of 12 advertising partners, while reproductive health platforms create detailed profiles tracking fertility windows, pregnancy symptoms, and family planning decisions. This data is then correlated with shopping behavior and location patterns, creating comprehensive profiles of individuals' most intimate circumstances.
The fundamental issue is structural: venture capital funding models incentivize aggressive data monetization. Companies offering free health tracking services face investor pressure to generate revenue through data sales rather than sustainable subscription models, explicitly valuing platforms based on their data collection capabilities and advertiser relationships.
Insurance Industry Implications
Perhaps most concerning, investigations have uncovered data flows between health apps and insurance industry analytics firms. While direct sales to health insurers remain limited by regulatory restrictions, third-party data aggregators purchase health app information and create predictive models about user health risks and healthcare utilization patterns.
These models influence insurance pricing, employer wellness programs, and healthcare access decisions. Users unknowingly tracking chronic conditions through apps may generate data that affects their insurability or employment prospects through complex data broker networks operating beyond traditional healthcare privacy protections.
The HIPAA Gap
A critical vulnerability in current privacy protections is that HIPAA—the Health Insurance Portability and Accountability Act—does not cover consumer health apps operating independently of the medical system. This creates a regulatory blind spot that enables widespread exploitation. Health app privacy policies average more than 3,000 words with critical data-sharing disclosures buried dozens of paragraphs deep, making it virtually impossible for consumers to understand how their information is being used.
Company Responses and Accountability
Following the Bloomberg investigation, Meta issued a statement to media outlets claiming that the company "does not permit or want advertisers to share sensitive information with us through our business tools" and that "our systems are designed to detect and filter out information that appears potentially sensitive." The company noted that advertisers are ultimately responsible for the data they choose to share.
However, such responses raise questions about accountability and oversight. If tech companies' systems are truly designed to filter sensitive data, how did citizenship, race, and sex information make it through? The explanations suggest that responsibility is being deflected to advertisers, even as the tech platforms benefit from the data collection infrastructure.
What Comes Next
The Bloomberg investigation has sparked action from state officials and heightened public awareness of the privacy crisis in healthcare data. However, comprehensive solutions remain elusive. Stronger regulatory oversight, mandatory transparency requirements, and technical safeguards to prevent pixel trackers from being placed on sensitive government websites are all necessary steps.
For the millions of Americans who have already had their information shared with advertising networks, the damage is done. The investigation serves as a stark reminder that even government-operated platforms designed to provide essential services are vulnerable to data exploitation—and that vigilance, transparency, and accountability in the digital health ecosystem remain critically lacking.
Get All The Latest Updates Delivered Straight To Your Inbox For Free!