Nearly all 20 U.S. state-run health insurance marketplaces were found to be transmitting sensitive applicant data to major advertising and technology companies through misconfigured web tracking pixels. A Bloomberg investigation reported that data sent from exchange websites included details such as race, sex, email addresses, phone numbers, ZIP codes, country identifiers, and even whether applicants had incarcerated family members. The recipients reportedly included Google, LinkedIn, Meta, Snap, and TikTok, raising concerns that government healthcare platforms leaked protected personal and health-related information at scale.
The exposure affected marketplaces used by more than seven million Americans buying health insurance this year, significantly widening the potential impact. Specific cases included New York's exchange sharing incarceration-related family information, Washington, D.C.'s exchange sending race and sex data to TikTok, and Virginia removing a Meta tracker after ZIP code sharing was identified. Following the findings, Washington, D.C. paused its TikTok tracker rollout and Virginia removed Meta's tracker, underscoring how embedded analytics and advertising tools on public-sector healthcare sites can create broad privacy risks.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
After the investigation's findings, Virginia removed Meta's tracker from its state health insurance exchange website. The tracker was reported to have shared applicant ZIP code information.
Following Bloomberg's reporting, Washington, D.C.'s health insurance exchange paused its rollout of a TikTok tracker. The tracker had reportedly been sending applicant sex and race data.
A Bloomberg investigation found that nearly all 20 U.S. state-run health insurance marketplaces were sending sensitive applicant information to advertising and technology companies through misconfigured pixel trackers. Reported data shared across exchanges included details such as race, sex, email address, phone number, ZIP code, country identifiers, and incarceration-related family information.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcetechcrunch.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.