State Health Insurance Websites Are Leaking Patient Data to Ad Companies

Nearly all 20 state-run health insurance exchanges across the United States have embedded advertising trackers that share user activity with major technology companies like Meta, TikTok, and Google, according to a Bloomberg News investigation. Researchers reviewed thousands of pages on state exchanges and the Washington, DC marketplace and found sensitive personal information being transmitted in violation of both company policies and the exchanges' own privacy promises.

The leaked data includes details that people assume are protected. Washington state's exchange sent applicants' sex and citizenship answers directly to TikTok, along with race data that the company's filters failed to block. Even more striking, DC Health Link explicitly states in its privacy policy that it will not share personal information with third parties—yet it was doing exactly that through these trackers.

What the Rules Say vs. What Actually Happens

Meta, TikTok, LinkedIn, Snap, and Google all have public policies that ban advertisers from sharing health-related or other sensitive data through their tracking pixels. TikTok and Snap are especially explicit: they forbid sharing sensitive information even when it appears in a webpage's URL, which is a common (and usually unintentional) way that healthcare data ends up getting transmitted.

The problem reveals a deeper issue with how government digital services manage data. State health exchanges operate under privacy rules similar to HIPAA—the federal health privacy law—but they also want to use commercial ad networks to attract and measure user engagement. These two goals pull in opposite directions.

Washington and Virginia removed some of their trackers after Bloomberg contacted them, which suggests these implementations were never properly checked for data leaks before going live.

Why This Keeps Happening

This situation has echoes in the troubled launch of HealthCare.gov in 2013-2014, when the federal government prioritized speed over security. The federal government's Office of Inspector General later documented extensive problems with how the Centers for Medicare and Medicaid Services managed the rollout, including failures to properly check what data was being transmitted.

Today's state exchanges appear to be layering commercial web analytics on top of systems that were originally designed around secure federal data sharing. The federal government runs a Data Services Hub that connects state exchanges to agencies like the Social Security Administration and IRS through formal security agreements. But while that federal data flows through secured channels, the websites themselves leak information through commercial ad trackers. It is a split system where the back-end is protected but the front-end is not.

When the federal marketplace had problems in 2014, officials discovered the issue required operational changes that focused on coordination and clear priorities—disciplines that appear absent from how states set up these trackers.

How the Leak Actually Works

Standard advertising pixels work by automatically collecting whatever data exists on a webpage when someone visits or fills out a form. They capture information from text fields, URL parameters, and page metadata—the behind-the-scenes code that structures a webpage. This works fine for most websites, but in a healthcare enrollment flow, that data includes sensitive information: income ranges, health conditions, family status, and more.

State exchanges likely added these trackers to measure whether their marketing campaigns were working and to optimize how people move through the enrollment process. These are standard digital marketing practices. But the healthcare context changes everything. On a shopping website, tracking is routine. On a health insurance enrollment site, it can become a HIPAA violation and a breach of platform policies.

The filters that TikTok and other platforms use to catch sensitive data appear not to work well in healthcare contexts, where personal information can hide in form fields, URLs, or page code in ways commercial filters were not designed to detect.

The Broader Picture

These leaks happened as government data sharing itself faces more scrutiny. A federal judge recently stopped the Social Security Administration from sharing data with the Department of Government Efficiency after finding that DOGE had accessed sensitive Social Security data without proper oversight.

The broader context here involves a tension that government IT departments have not yet solved well. State health exchanges operate in a regulatory environment stricter than most government websites, but they face pressure to acquire users and measure engagement the way commercial insurance platforms do. That collision between healthcare privacy rules and commercial web practices created the conditions for these leaks.

Washington and Virginia's decision to remove trackers shows awareness once the problem was public, but the widespread nature suggests this was not caught by normal privacy review processes. As more healthcare moves online and states try to optimize enrollment through digital marketing, this kind of tension will keep appearing unless government agencies develop better technical and policy safeguards.

The immediate solution is straightforward: remove the trackers or configure them properly so they do not transmit sensitive data. But the underlying challenge runs deeper. It is about how to use commercial web tools responsibly when handling the kind of personal information that healthcare requires. This problem extends well beyond state health exchanges to any government service that collects sensitive data while maintaining a public website.