State Health Insurance Exchanges Exposed Sensitive Applicant Data to Ad Tech Firms
Nearly all 20 U.S. state-run health insurance marketplaces were found to be transmitting sensitive applicant data to major advertising and technology companies through misconfigured web tracking pixels. A Bloomberg investigation reported that data sent from exchange websites included details such as race, sex, email addresses, phone numbers, ZIP codes, country identifiers, and even whether applicants had incarcerated family members. The recipients reportedly included Google, LinkedIn, Meta, Snap, and TikTok, raising concerns that government healthcare platforms leaked protected personal and health-related information at scale.
The exposure affected marketplaces used by more than seven million Americans buying health insurance this year, significantly widening the potential impact. Specific cases included New York's exchange sharing incarceration-related family information, Washington, D.C.'s exchange sending race and sex data to TikTok, and Virginia removing a Meta tracker after ZIP code sharing was identified. Following the findings, Washington, D.C. paused its TikTok tracker rollout and Virginia removed Meta's tracker, underscoring how embedded analytics and advertising tools on public-sector healthcare sites can create broad privacy risks.
Timeline
May 4, 2026
Virginia removes Meta tracker from its exchange website
After the investigation's findings, Virginia removed Meta's tracker from its state health insurance exchange website. The tracker was reported to have shared applicant ZIP code information.
May 4, 2026
Washington, D.C. pauses TikTok tracker rollout after findings
Following Bloomberg's reporting, Washington, D.C.'s health insurance exchange paused its rollout of a TikTok tracker. The tracker had reportedly been sending applicant sex and race data.
May 4, 2026
State health insurance marketplaces transmitted applicant data via web trackers
A Bloomberg investigation found that nearly all 20 U.S. state-run health insurance marketplaces were sending sensitive applicant information to advertising and technology companies through misconfigured pixel trackers. Reported data shared across exchanges included details such as race, sex, email address, phone number, ZIP code, country identifiers, and incarceration-related family information.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
EPIC Report Warns of US Health Data Privacy Crisis Driven by Surveillance and Data Brokers
The Electronic Privacy Information Center (**EPIC**) released a report, *Beyond HIPAA: Reimagining How Privacy Laws Apply to Health Data to Maximize Equity in the Digital Age*, warning that US health privacy protections are failing as health-related data is increasingly collected outside clinical settings and repurposed for commercial profiling and government use. EPIC argues that **outdated laws (including HIPAA’s limited scope)** and weak regulation of digital tracking enable health data to be harvested via apps, websites, location tracking, and online searches, then aggregated and sold—supporting targeted advertising, “surveillance pricing,” and other uses that can raise costs or restrict access to care. The report and related coverage highlight that health data can escape medical contexts and be used for **surveillance and enforcement**, including scenarios where immigration enforcement activity in or around medical facilities deters patients from seeking treatment. EPIC frames the issue as a “health privacy crisis” that undermines trust and worsens outcomes, particularly for marginalized communities, and points to **data brokers** and the broader commercial surveillance ecosystem as central drivers of the problem; EPIC also promoted a public event discussing the report’s findings and recommendations.
1 months ago
Healthcare and consumer privacy litigation over alleged improper data access and collection
Multiple legal actions highlighted ongoing **privacy and data-protection risk** across healthcare and consumer platforms. Epic Systems sued health information exchange implementer **Health Gorilla** and several provider organizations, alleging improper access to roughly **300,000 patients’ records** and claiming some participants abused interoperability frameworks (including **Carequality** and **TEFCA**) to obtain and monetize sensitive health data without appropriate consent or authorization. Separately, pharmacy services provider **PharMerica** agreed to a **$5.2 million** class-action settlement tied to a **2023** hacking incident attributed to the **Money Message** ransomware group, which claimed exfiltration of **4.7 TB** and later leaked data affecting **5.8 million** people (including SSNs and medication/insurance details), alongside commitments to invest further in security. Outside healthcare, California’s Attorney General opened a probe into **xAI** after **Grok** was used to generate and post non-consensual sexualized deepfakes, while Google agreed to pay **$8.25 million** to settle claims that its **AdMob SDK** collected data from children’s devices in “Designed for Families” apps in alleged violation of **COPPA**; a separate YouTube children’s-data settlement was also noted. A HIPAA Privacy Rule update was also reported as moving closer to finalization following an HHS OCR tribal consultation notice, but it is a regulatory development rather than a specific incident.
1 months ago
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
1 months ago