US state health exchanges leaked customer data to Big Tech

TL;DR: Americans’ personal data has been shared with Big Tech firms through an unexpected source: ad trackers embedded in state health insurance sites, according to a Bloomberg report. It reveals that government sites trusted with your identity and health info don’t always fully know what they’re handing to tech platforms—and there’s no federal privacy law in the US to catch the gaps.

What happened: Bloomberg flagged exchanges in Washington State, Virginia, New York, New Mexico, Maryland, and Rhode Island, saying almost all of the 20 state-run sites embed trackers that sent personal information to TikTok, Meta, Snap, LinkedIn, Google, and more. The data exposed differs by state: Washington’s shared information around sex, citizenship, and race. Virginia’s exposed ZIP codes to Meta (a spokesperson told Bloomberg ZIP codes weren't “personally identifiable information,” though that tracker was later removed). Sometimes just viewing a page is enough: In New York’s, which tracks what pages you visit on the exchange, clicking through to another page to enter details about incarcerated family members sends that activity to tech platforms.

Healthcare.​gov, which is used by the other 30 states, doesn’t embed these specific trackers (though others are still likely present, as most websites use them)—and California already removed its before Bloomberg’s review.

Why it happened: Websites embed such trackers to better target their marketing on platforms like Facebook and TikTok, but these state sites apparently didn’t grasp all the info being sent. Some trackers try to block sensitive data from reaching them, but the keyword filters don’t always catch everything—the TikTok tracker on Washington’s health exchange stripped out broader racial categories but left specific ethnicity details in. A cybersecurity expert told Bloomberg this was “a flawed and brittle process for filtering unwanted information.”

The accountability gap: Tech companies are saying it’s not their fault, as their terms of service say advertisers shouldn’t share sensitive info with them—pointing the finger at state governments instead. It’s unclear whether these platforms have used the data unwittingly provided, and there’s no federal privacy law to protect consumers. State laws, meanwhile, are patchwork, with varying standards for what counts as “sensitive data.” Several states only removed trackers after Bloomberg contacted them for comment.

Bottom line: Hospital websites used to deploy similar trackers—but that dropped from 98% in 2021 to 30% in 2025 due to the threat of “costly litigation,” per Bloomberg. State health exchanges apparently weren’t paying attention, though scrutiny like this could change that.

What this means for you: If you live in the US and enrolled in health insurance through your state’s exchange, you can try requesting that tech platforms delete your data (though mileage may vary.) Going forward, you can protect yourself by checking your browser’s settings or installing a privacy extension. —WK