SecurityNews & Analysis

Healthcare Marketplaces Leak Citizenship Data to Ad Tech

17 views0
ByteBotBy
Share

A Bloomberg investigation published today reveals that almost all 20 U.S. state-run health insurance marketplaces shared citizenship status, race, email addresses, phone numbers, and ZIP codes with Meta, Google, TikTok, LinkedIn, and Snap through pixel trackers on government application forms. Seven million Americans who purchased health insurance through state exchanges are affected.

Applicants filling out health insurance forms had their citizenship status and race transmitted to advertising companies without knowledge or consent. Virginia and Washington, D.C. paused tracking after Bloomberg’s exposure, but 7 million Americans’ data is already shared with ad tech giants.

What Was Shared

Pixel trackers are tiny images embedded in websites to collect user data for advertising. Google Analytics, Meta Pixel, and TikTok Pixel are standard tools in web development for behavioral tracking and conversion measurement.

Washington, D.C.’s marketplace shared applicants’ sex, race, email, phone, and country identifiers with TikTok. TikTok’s pixel “attempted to redact” some races but not others. Virginia shared ZIP codes with Meta. New York transmitted information about incarcerated family members to tech companies.

The mechanism: Applicant fills out health insurance application → Pixel tracker captures form data → Transmits citizenship and race to Meta, Google, or TikTok for ad targeting.

Virginia removed the Meta tracker. D.C. paused TikTok tracking. The other 18 states haven’t confirmed removing trackers.

How This Happened: Developer and Procurement Failure

Marketing agencies include Google Analytics and Meta Pixel in default website templates for “analytics.” Developers treat government application forms like e-commerce checkout flows. No technical review exists in government procurement—non-technical officials approve vendors without privacy audits.

Result: Government sites tracking citizenship status and race use the same pixels as commercial sites tracking shopping carts.

A 2024 HIPAA Journal study found 33% of healthcare websites still use Meta Pixel despite known risks. The same JavaScript that retargets ads for abandoned shopping carts now tells Meta which government health insurance applicants aren’t U.S. citizens.

Government websites handling citizenship and race—protected classes that could enable discrimination—installed the same careless analytics as Shopify stores.

This Keeps Happening

Novant Health paid $6.6 million in 2024 for transferring protected health information via tracking pixels. BetterHelp paid $7.8 million to the FTC in 2023 for sharing health data without consent. A 2025 Cal Matters investigation found Nevada, Maine, Massachusetts, and Rhode Island marketplaces sharing prescription drug names—including Prozac—with LinkedIn and Snapchat.

Healthcare and government sites install standard analytics without recognizing that “anonymous” tracking becomes sensitive when pages contain citizenship applications or prescription information. Developers follow industry practices: Add Google Analytics, include Meta Pixel. Default web development practices create privacy violations on government and healthcare sites.

HIPAA Doesn’t Apply to Marketplaces

Health insurance marketplaces may not be HIPAA-covered entities. HIPAA applies to healthcare providers, health plans, and clearinghouses—not state agencies running insurance exchanges. A 2024 Texas federal court ruled HHS exceeded its authority extending HIPAA to webpage tracking.

State privacy laws may apply, but there’s no clear federal protection for citizenship and race data collected on marketplace applications. Without HIPAA enforcement, marketplaces had no legal barrier to pixel trackers.

Government agencies should protect citizen data even when law doesn’t mandate it.

What Developers Need to Learn

Seven million Americans’ data—citizenship status, race, contact information—is already transmitted to ad tech platforms. That data can’t be retrieved. Whether the other 18 states removed trackers remains unknown. Class action lawsuits are likely.

Developer takeaways:

  • Audit third-party scripts on government and healthcare sites before deployment
  • Stop defaulting to Google Analytics and Meta Pixel on sensitive forms
  • Use privacy-preserving analytics: server-side tracking or self-hosted tools like Plausible
  • Government procurement needs technical privacy review before approving vendors

Context matters. Pixel trackers acceptable for e-commerce shopping carts are unacceptable for citizenship application forms. Developers building government and healthcare sites have different responsibilities than those building commercial sites. Citizenship and race data in advertisers’ hands creates discrimination risk that shopping cart data never will.

Government websites installed advertising trackers on citizenship forms because developers treated government applications like e-commerce checkouts. No one asked whether Meta, Google, and TikTok should know who’s applying for health insurance and whether they’re U.S. citizens.

The most sensitive government data gets handled with the least care.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security