Government Health Websites Were Found Sending Your Race and Citizenship Data to TikTok and Meta

Government Health Websites Were Found Sending Your Race and Citizenship Data to TikTok and Meta

If you’ve ever signed up for health insurance through a state-run website, you probably assumed your most sensitive information—like your race, citizenship status, and health details—was kept private. After all, these are government sites, handling some of the most personal data you can share online. But a recent Bloomberg investigation has revealed something deeply unsettling: for years, nearly all 20 U.S. state health insurance exchanges, plus the D.C. marketplace, were quietly sending this sensitive info straight to tech giants like Meta (Facebook’s parent company) and TikTok. Not on purpose, but because of hidden ad trackers embedded in their websites. Over 7 million Americans were caught up in this mess. If this sounds like a nightmare, you’re not alone—and it’s not just a problem for techies or privacy activists. This is about your real life, your privacy, and your right to control your own information.

What Actually Happened? A Closer Look at the Data Leak

This wasn’t some shadowy hacker attack or a dramatic data breach. Instead, it was a quieter, more insidious kind of privacy failure. State health insurance websites—places where people go to sign up for essential health coverage—had advertising trackers installed. These trackers, like Meta Pixel and TikTok Pixel, are tiny pieces of code designed to help website owners understand how visitors use their sites. In theory, they’re supposed to collect anonymous usage data to improve the website or measure ad effectiveness. But here’s where things went wrong: the trackers were misconfigured. Instead of just basic analytics, they ended up scooping up and sending highly sensitive information—including race, citizenship status, ZIP codes, and even some health details—to Meta and TikTok.

For example, in Washington, D.C., the site sent applicants’ sex and citizenship responses to TikTok, along with some race data that the tracker failed to filter out. In Virginia, a tool designed to estimate insurance premiums sent users’ ZIP codes to Meta, which could then be used for targeted advertising. None of this was supposed to happen. But for years, it did.

Why Should Anyone Care? The Real-World Consequences

At first glance, it might seem like just another tech slip-up. But this isn’t about some abstract privacy principle. This is about your life. When you fill out a health insurance application, you’re required to answer deeply personal questions—about your health, your race, your citizenship status. You do this because you trust the process and assume your answers are protected. When that trust is broken, the consequences aren’t just technical—they’re human.

Let’s break it down:

  • Targeted Advertising: Tech companies like Meta and TikTok thrive on data. If they know your ZIP code, race, or citizenship status, they can target you with eerily specific ads. Maybe you start seeing ads related to immigration services, health issues, or insurance options tailored to your demographic profile. It’s unsettling, and it’s not what you signed up for.
  • Potential for Profiling: When companies collect this kind of data, it can be used to build detailed profiles about you. Even if you never see a direct consequence, your information could be used to sort, categorize, or even discriminate—often without your knowledge.
  • Loss of Trust: Once you realize that even government websites can leak your personal data, it’s hard not to feel anxious or cynical about using any online service. That stress and loss of trust is a real cost, and it’s not easily fixed.

Why Millions of Users Never Realize Their Data Was Exposed

One of the most frustrating parts of this story is that most people affected will never know it happened. There were no warning emails, no pop-up alerts, no headlines screaming about a breach. The data just slipped quietly from the health insurance websites to the servers of Meta and TikTok, buried in the background as you filled out your forms. Because this wasn’t a hack or a break-in, but a misconfiguration, it didn’t trigger the usual alarms.

And let’s be honest—most of us don’t expect to have to audit government websites for privacy risks. We assume they’re safe by default. That’s a reasonable assumption, but in this case, it was wrong.

Misconceptions: What Most People Get Wrong About Government Websites

  • "Government sites don’t share my data without permission." Unfortunately, this incident proves otherwise. Even well-intentioned agencies can make mistakes, and those mistakes can have serious consequences.
  • "Advertising trackers only collect anonymous information." In theory, maybe. In practice, these trackers can easily scoop up personal details if not carefully configured—and that’s exactly what happened here.
  • "My data is safe because these sites are regulated." Regulation helps, but it’s not a guarantee. Technical slip-ups, lack of oversight, and poor transparency can still put your information at risk.

What Did the States and Tech Companies Do After the Exposure?

Once the issue was brought to light, there was some action—though arguably, it was too little, too late for those already affected. Washington, D.C., paused its rollout of TikTok trackers. Virginia removed the Meta tracker from its premium-estimate tool. But there’s no evidence that affected users were directly notified, nor is there public information about whether Meta or TikTok deleted the data they received. The trackers are reportedly gone now, but the data that was already sent? That’s out there, and there’s no easy way to pull it back.

It’s worth noting that these changes only happened after investigative reporting exposed the problem, not because the agencies or tech companies proactively caught the issue. That’s not exactly reassuring.

How Does This Happen? The Hidden Risks of Ad Trackers

Advertising trackers—like Meta Pixel and TikTok Pixel—are everywhere online. They’re supposed to help website owners see what’s working and what’s not. But these trackers are often poorly understood, even by the people who install them. If configured incorrectly, they can collect far more than just anonymous clicks or page views. They can capture whatever information is present on the web page, including form responses and personal details.

On a health insurance website, that means sensitive information ends up in the tracker’s data stream. And because these trackers report back to powerful tech companies, your data can be used in ways you never agreed to. It’s a silent, invisible leak—one that most people never notice until it’s too late.

What’s the Actual Risk to You? Assessing the Fallout

Let’s be realistic: there’s no evidence that this specific data leak led to identity theft, financial fraud, or direct harm to individuals. But that doesn’t mean the risk is low. The data shared was highly sensitive—race, citizenship, ZIP code, health info. In the wrong hands, this kind of information can be used for targeted advertising, profiling, or even discrimination. And once it’s out, you can’t get it back.

For most people, the immediate consequence is increased exposure to targeted ads and the unsettling feeling that your privacy was violated. For some, especially those in vulnerable communities, the risk of profiling or misuse is higher. That’s why this incident is best described as a high risk, even if the worst-case scenarios haven’t played out—yet.

Five Steps That Actually Reduce Your Risk

If you used a state-run health insurance exchange in recent years, you might be wondering what you can do now. Here are five practical steps that make a real difference:

  1. Review Your Social Media Ad Preferences: Platforms like Facebook and TikTok let you see (and sometimes limit) what information is used to target you. It’s worth checking your ad settings and clearing out any unnecessary data.
  2. Limit Data Sharing on Government Sites: When possible, provide only the required information—never more. If a site asks for details that seem unnecessary, question it or look for alternative ways to apply.
  3. Use Privacy Tools: Consider browser extensions that block ad trackers, such as uBlock Origin or Privacy Badger. These tools can help prevent similar leaks in the future, even on sites you trust.
  4. Stay Informed and Advocate: Ask your state representatives about privacy protections on government websites. Public pressure is often the only way to drive real change in how agencies handle your data.
  5. Monitor Your Accounts: While there’s no evidence of direct financial risk, it’s always smart to keep an eye on your credit, insurance, and social media accounts for unusual activity. Early detection is key to minimizing harm.

Broader Implications: Why This Isn’t Just a One-Off Problem

This isn’t the first time advertising trackers have leaked sensitive data from supposedly secure websites. Hospitals, financial services, and even mental health apps have all been caught sending private information to tech companies through misconfigured trackers. The problem is bigger than any single incident—it’s a systemic issue with how online tracking works, and how little oversight there really is.

Government websites, in particular, should be held to the highest standards. If even they can make these mistakes, it’s a wake-up call for everyone. We need stronger rules, better transparency, and real accountability—not just apologies after the fact.

Moving Forward: Building Digital Confidence, Not Fear

It’s easy to feel powerless in the face of stories like this. But knowledge is your best defense. By understanding how these leaks happen and taking small, practical steps to protect yourself, you can regain some control over your digital life. Don’t let negligence—by companies or governments—erode your confidence. Demand better, stay informed, and support real privacy protections. Your data is your business, and it deserves real respect.

Suggested readings ...