State health insurance marketplaces shared sensitive data with ad tech firms, report says

Government health enrollment sites are under renewed scrutiny over tracking technology

Almost all of the 20 state government-run health insurance marketplaces in the United States shared residents’ application information with advertising and technology companies, according to a Bloomberg investigation summarized by TechCrunch. The companies named include Google, LinkedIn, Meta, and Snap, and the reported data exposure extended into highly sensitive territory.

The core issue was the use of pixel-based trackers, small snippets of code often deployed for analytics, debugging, and advertising measurement. These tools are common across the web. But when they are placed on pages that handle sensitive information, poor configuration can turn them into channels for leaking data that users would reasonably assume is private.

What the investigation found

Per the reporting cited by TechCrunch, New York’s health insurance exchange shared information with several tech companies about a person’s application, including whether they supplied details about incarcerated family members. Washington, D.C.’s exchange asked users about sex and race, and Bloomberg found that TikTok’s pixel attempted to redact some race values while leaving others exposed. A spokesperson for the D.C. exchange said residents’ email addresses, phone numbers, and country identifiers were also shared with TikTok.

After Bloomberg raised questions, Washington, D.C. paused its TikTok tracker rollout, and Virginia removed the Meta tracker from its marketplace after it was found to be sharing ZIP codes. Those responses matter because they indicate at least some operators accepted that the reported behavior was serious enough to halt or reverse.

The scale is also difficult to dismiss. TechCrunch notes that more than seven million Americans bought health insurance for the current year through a state health insurance exchange. Even a configuration problem affecting a subset of those users is therefore not small in practical terms.

This is a familiar failure pattern in health data

The article emphasizes that this is not a new privacy category. Hospitals, telehealth firms, and other health companies have already faced public backlash and, in some cases, notification requirements after inadvertently sharing health-related information with advertising platforms. What makes the marketplace case especially striking is that the sites involved are government-run enrollment systems tied to essential public services.

That changes the stakes. Consumers may accept that commercial websites track behavior aggressively, even if they dislike it. They do not expect the same norms to apply when they are applying for health coverage through a public exchange. The trust assumptions are different, and so is the sensitivity of the data.

There is also a governance lesson here. The problem is not the existence of a pixel tracker in the abstract. It is the mismatch between generic web-growth tooling and high-sensitivity workflows. Tools built for conversion optimization can behave badly when inserted into systems designed for healthcare, benefits, or legal status screening.

Why the details matter

The mention of race, sex, incarceration-related family information, email addresses, phone numbers, and country identifiers is significant because it shows how quickly “analytics” implementation can drift into regulated or ethically charged territory. Even if a platform does not intend to use such fields for ad targeting, the transfer itself can create legal, political, and trust consequences.

It also complicates the public story technology companies often tell about their products. Pixel trackers are marketed as simple, useful tools for site operators. But the operational burden of using them safely is much higher on sensitive sites than that framing suggests. If the site owner does not fully understand every data field the page can expose, “simple” instrumentation becomes a liability.

What comes next

The immediate consequence is likely to be more audits of state exchanges and other public-service websites. The broader consequence may be a harder line on whether advertising trackers belong anywhere near systems that process healthcare and eligibility data.

The reporting does not suggest every marketplace behaved identically, nor does it settle every legal question. But it clearly shows a structural weakness: the modern web’s standard tracking stack can collide badly with sensitive public infrastructure.

For users, the lesson is uncomfortable. Filling out a health coverage application may look like a private administrative act. On too many sites, it appears to have also become a data-sharing event.

• Bloomberg, cited by TechCrunch, found widespread sharing of marketplace application data with ad tech firms.
• Reportedly shared data included sensitive fields such as race, sex, and incarceration-related family information.
• Washington, D.C. paused its TikTok tracker rollout, and Virginia removed a Meta tracker after the findings.
• More than seven million Americans purchased this year’s coverage through state exchanges, TechCrunch noted.

This article is based on reporting by TechCrunch. Read the original article.