State Health Exchange Data Leaks: Tracker Data Sent to Meta and Other Platforms

What Bloomberg found On May 4, 2026, Bloomberg published an investigation of 20 state-run health insurance exchange websites. Advertising trackers embedded in those government sites were transmitting sensitive data to Meta, TikTok, Snap, and LinkedIn. The specific findings: Washington's exchange sent sex and citizenship data to TikTok Virginia's premium estimator sent ZIP codes to Meta New York's exchange sent page visits — including pages about incarcerated family members — to ad tech companies TikTok's keyword-based filtering failed to catch specific racial descriptions embedded in page metadata These are not third-party apps with weak privacy policies. These are the government websites you use to apply for health insurance. How the trackers got there State health exchanges use third-party analytics and advertising tools to optimize their sites. The same Meta Pixel, TikTok Pixel, and LinkedIn Insight Tag that retargets you for shoes also fires when you look up health plans. The data transmitted typically includes: Page URL and page title — which contain the specific plan, condition, or service you searched Form field data — in some cases, ZIP codes entered into premium estimators were sent to ad platforms Session metadata — browser fingerprint, device type, referrer User identifiers — email hashes or cookie IDs that ad platforms can match to existing profiles The tracker discovers you're looking at health insurance. It reports that fact to Meta. Meta adds it to your ad profile. The next day, ads for different plans follow you across the web. Why this is different from the wellness app problem The earlier wave of health data leaks (GoodRx, BetterHelp) involved private health apps sharing data with advertisers. Bad, but the government was the regulator, not the source. In this case, the government website itself is the leak. State exchanges are official portals for enrolling in taxpayer-subsidized health coverage. They are not supposed to be data collection platforms for ad tech companies. The legal gap HIPAA does not cover most state health exchange websites, because the exchange itself is not a "covered entity" in the traditional sense — it facilitates enrollment but does not provide treatment or payment. The websites are subject to state privacy laws and the Health Breach Notification Rule, but enforcement has been inconsistent. The FTC has precedent: the 2023 GoodRx and BetterHelp settlements established that sending health-adjacent data to ad platforms via tracking pixels is an unfair practice. Those cases involved private companies. State governments are a different enforcement challenge, because the same entity that runs the site is the entity that would need to be sued. What you can do Use a separate browser profile for health insurance applications. A clean Firefox profile with uBlock Origin blocks most trackers. Do not log into Meta, TikTok, or LinkedIn while shopping for insurance. The tracker can only match data if you are logged into those platforms. File a CCPA deletion request with the major data brokers. The link between what you searched on the exchange and your ad profile passes through broker databases. Contact your state insurance commissioner and ask whether your state exchange uses advertising trackers. State legislators have the power to ban third-party trackers on government websites — several states have already done so. The government website sending your health data to ad platforms is not a hack. It is a feature of how government IT contracts are written, and it will keep happening until state laws explicitly ban third-party tracking on public benefit enrollment sites.