State health insurance websites that are supposed to help people sign up for coverage have been quietly feeding some of their most sensitive data into the internet’s advertising machine. An investigation this week found that nearly all state-run health insurance marketplaces in the U.S. were using advertising trackers that sent applicants’ form responses to major ad‑tech companies, including details such as race, sex, citizenship status, ZIP code and even whether someone listed incarcerated family members. The findings pushed the District of Columbia to pause at least one tracker and led several states to pull pixels while they audit enrollment pages, raising fresh questions about how government-run services handle data that can be easily tied back to individuals.
What the investigation found
According to a report by Bloomberg, researchers combed through thousands of enrollment and informational pages across the 20 state-run marketplaces and the District of Columbia’s exchange and uncovered tracking pixels that transmitted application information to advertising platforms. Bloomberg reported that the tags sometimes sent more data than state officials realized, a troubling detail given that these pages collect individually identifying information tied to health coverage and eligibility. The investigation also notes that more than seven million people bought coverage this year through state exchanges, which magnifies the potential scale of exposure.
As TechCrunch summarized, the pixels included vendor tags from companies such as Google, LinkedIn, Meta and Snap. On the D.C. exchange, pages attempted to send applicants’ sex and citizenship responses to TikTok’s pixel, with some race fields masked and others not. TechCrunch also reported that New York’s exchange exposed application details that included whether an applicant listed incarcerated family members, and that Virginia removed a Meta tracker after the company was shown to be receiving ZIP codes. Those specific findings have prompted several exchanges to pull or pause tags while they investigate.
Not the first time
If this sounds familiar, that is because it is. An earlier investigation by The Markup and CalMatters found trackers on California’s exchange that were sending sensitive user details to LinkedIn and Google and led to a proposed class-action lawsuit, according to CalMatters. Covered California removed those tags and said it was reviewing what data may have been transmitted. Privacy researchers have been warning for years that pixels and third‑party analytics on healthcare pages can inadvertently ferry signals to advertising networks.
Legal and privacy risks
Federal officials have already tried to draw some bright lines. The Department of Health and Human Services’ Office for Civil Rights has written that “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI,” and laid out when tracking vendors must be treated as business associates under HIPAA. OCR’s bulletin and later enforcement activity make clear that hospitals and telehealth providers have faced scrutiny, and in some cases enforcement, for similar uses of pixels on patient‑facing pages. That history suggests state exchanges could be looking at audits or inquiries over whether their tagging practices fit within federal privacy rules.
How officials responded
A spokesperson for the Washington, D.C. exchange said residents’ email addresses, phone numbers and country identifiers were also shared with TikTok’s tracker, and the district has paused the pixel rollout while it investigates, according to TechCrunch. TechCrunch also reports that Virginia removed the Meta tag from its marketplace after being shown that ZIP codes were being transmitted. State IT teams say that fixes can sometimes be as simple as changing a single line of code, but privacy advocates warn that once data enters the ad‑tech ecosystem, the downstream chain of sharing and resale can be long and opaque.
How many people could be affected
Bloomberg points to the sheer scale of the exchanges to underscore the risk. More than seven million Americans purchased coverage through state exchanges in 2026, which means a misconfigured tracker on an enrollment page could touch a large number of people trying to secure government‑run coverage. Because ad‑tech ecosystems routinely match and resell identifiers, experts warn that even partially redacted fields can sometimes be re‑identified when combined with other signals. Those technical gaps are what regulators and privacy teams say can turn what looks like a local website configuration mistake into a systemic privacy problem.
What you can do
For people signing up for coverage, there are a few basic guardrails you can control. You can check your state exchange’s privacy policy before you start an application and consider using your browser’s private mode or an extension that blocks third‑party trackers while you fill out sensitive forms. Individuals who believe their information was exposed can file a complaint with the Office for Civil Rights, which explains on its complaint portal how to submit a privacy concern. State technologists told reporters that most exchanges are already auditing pages and stripping out nonessential tracking tags.
All of this highlights a broader reality about digital government services: the same analytics and advertising tools that help agencies measure traffic and run outreach campaigns can also create privacy risk when they sit on pages that collect highly sensitive information. Expect more states to audit, remove or tighten controls on third‑party tags as regulators and privacy teams keep pressing for clearer safeguards.
