Technology | Prognosis
Meta, TikTok Are Sent Personal Data From Health Exchanges — Alarming Privacy Experts
Race, location and immigration information has been sent to social media companies.
Nearly all of the 20 state-run health insurance exchanges in the US have added advertising trackers that transmit user activity back to big tech companies, in some cases sending more data than state officials realized. Bloomberg News reviewed thousands of enrollment and informational webpages across these sites, as well as the Washington, DC exchange, and found personal data being shared on many of them. More than 7 million Americans bought health insurance for 2026 through these sites.
The Washington exchange sent applicants’ sex and citizenship responses to TikTok, as well as some race data that the tracker failed to filter out. Virginia’s tool to estimate premiums sent ZIP codes to Meta Platforms Inc. In New York, the marketplace shared the pages applicants visited during enrollment with TikTok, Meta, Snap Inc. and Microsoft Corp.’s LinkedIn, including when they provided details about incarcerated family members.
No federal data privacy law applies to these enrollment sites. State laws define sensitive data under a patchwork of rules, which privacy experts say are inadequate and inconsistent.
“It is very harmful that these tracking technologies are so embedded in these sites because people would expect this information to be private,” said Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, citing research that indicates people alter their behavior online when they know they’re being surveilled.
The Federal Trade Commission and states can enforce consumer protection laws against unfair practices and misuse of sensitive information, said Geoghegan. “But this case-by-case approach has proven insufficient.”
Read more: Americans Googling Obamacare Are Finding “Junk Insurance” Instead
Spokespeople for Meta, TikTok, LinkedIn, Snap and Google said their terms prohibit advertisers, like the state exchanges, from sharing sensitive or health-related data and place responsibility on them to ensure compliance. TikTok and Snap said sensitive data can include information contained in page URLs.
Washington and Virginia removed some of the trackers after Bloomberg asked for comment.
Ad trackers, snippets of code often called “pixels,” are extremely common across the internet and are a key reason that companies like Meta and Alphabet Inc.’s Google can target ads to billions of people around the world. A clothing retailer, for example, may track what items a user looks at on their site, and then resurface those items in ads that appear elsewhere online. State officials say they embed this technology on the exchanges to measure marketing campaigns and to advertise to people who visit their sites. Privacy experts say this kind of tracking does not belong on health-related websites.
Bloomberg used developer tools that are part of all popular web browsers to inspect what data was sent from these exchanges to third-party companies. Even when the tech companies behind the trackers tried to block states from sending sensitive data, those filtering mechanisms were incomplete. In Washington, users applying for health coverage enter information about their race, which the TikTok tracker attempted to redact. Selections like “White,” “African/American” or “Asian” were successfully masked, but more specific descriptions such as “Cambodian” or “Indian” were not.
These are some examples of how race is being fully or partially filtered before it’s shared with TikTok.
TikTok’s filtering on the Washington exchange relied on preset keyword lists to identify sensitive categories prohibited under their policies — including race, religion, sexual orientation, political affiliation, union membership and criminal record. The filter hides terms such as “Asian,” “Black,” “Muslim” and “Jewish,” plus US political references like “Democrat,” “Republican,” “MAGA” and “Antifa.” Any terms missing from the preset list were not filtered.
“It’s a flawed and brittle process for filtering unwanted information,” said Zach Edwards, an independent cybersecurity expert who has spent years auditing advertising technology developed by US tech giants.
A TikTok spokesperson said its systems are designed to filter potentially prohibited data and notify advertisers when it may be shared. The spokesperson did not address the apparent limitations of the keyword lists used to filter that data.
Tara Lee, a spokesperson for the Washington state exchange, said the tracker on the site was used for advertising campaigns, adding that email, phone and country identifiers were shared with TikTok. She said that no other details that could potentially be tied to a customer were shared. In its testing, Bloomberg observed that the site sent TikTok responses and metadata tied to questions about race, sex and citizenship. Bloomberg could not confirm whether that data was linked to a user's TikTok account.
The state paused its use of the TikTok tracker on its enrollment site after being informed of Bloomberg’s review.
On Virginia’s exchange, users enter their five-digit ZIP codes into a form used to estimate insurance premiums, which Meta receives because of an optional feature of the tracker designed to link people to their Facebook pages, build out their profiles and target ads to them.
Visits to 10 other states’ websites were also recorded and tied to a Bloomberg journalist’s Facebook account, enabling Facebook to retarget the journalist with ads based on those visits.
A spokesperson for Virginia’s marketplace said the state doesn’t consider ZIP codes to be personally identifiable information and that the information collected on the site is used to help with consumer outreach. Virginia later removed the Meta tracker from the screening page.
Privacy experts said that simply visiting certain pages can reveal personal information. In New York, when applicants are asked about incarcerated family members, they can click through to a page to add more details. That page visit is sent to TikTok, Meta and other ad tech companies.
In New Mexico, visiting a page titled “Zero Dollar Income Affidavit” triggered a request to Google’s advertising network. In Rhode Island, visiting Medicaid-related pages on the state’s HealthSource site sent data to Google, Meta and Nextdoor. Nextdoor did not respond to requests for comment.
On Maryland’s exchange, visiting a page titled “Good News for Noncitizen Pregnant Marylanders,” as well as a Spanish-language page about health coverage for DACA recipients, sent data to LinkedIn, Snapchat, Google and Meta.
A spokesperson from New Mexico’s exchange said the tracker was present on informational pages only and that it was a relic from a previous marketing campaign used to reach those in need of health insurance. After being alerted that the tracking was still active, they removed it. Spokespeople from New York, Maryland and Rhode Island said their sites use standard tracking tools to measure site analytics and improve outreach. Maryland and Rhode Island stated that they don’t collect personally identifiable information.
It’s not always clear whether tech companies ultimately use the types of data that Bloomberg found being shared for ad targeting. But lawsuits have scrutinized the use of tools like Meta’s tracker by hospitals and healthcare providers over claims they transmitted sensitive user activity without consent. There has been a striking drop in this practice due to the fear of costly litigation or enforcement, with 30% of hospital and health system websites using such technology in 2025, down from 98% in 2021, according to a recent study.
The federal healthcare.gov marketplace, which is used by residents of the other 30 states, does not use these trackers. California was the only state in Bloomberg’s review that did not use advertising trackers, having removed them last year after being informed of the security risk by nonprofit news organizations CalMatters and The Markup. A separate Markup analysis of 19 state sites last year also flagged data exposures in several states that later changed some of their settings.
According to Edwards, one reason so many websites continue to share sensitive user data is that website operators deploy tracking tools without fully understanding how they work. “The onus is on them to do it safely,” he said. “You can’t protect something that you don’t understand.”