Bloomberg found nearly all 20 US state health insurance marketplaces sent sensitive application data including race, citizenship, and incarceration details to Google, Meta, TikTok, LinkedIn, and Snap via pixel trackers.
Key Takeaways
Pixel trackers (Meta, TikTok) on state exchange sites auto-transmitted form data; misconfiguration, not intentional API calls, was the mechanism.
Washington D.C.’s exchange leaked sex, race, email, phone, and country identifiers to TikTok; TikTok’s pixel attempted partial redaction but masked some races and not others.
New York’s exchange exposed whether applicants had incarcerated family members; Virginia’s Meta pixel leaked ZIP codes.
D.C. paused TikTok tracker rollout; Virginia removed Meta pixel after Bloomberg’s investigation – reactive, not proactive.
Over 7 million Americans used state exchanges this year, making the blast radius far larger than prior telehealth pixel incidents.
Hacker News Comment Review
Commenters drew a sharp technical line: including third-party JavaScript grants full DOM and form-data access – exchanges likely added pixels for retargeting enrollment without understanding this scope.
Consensus leaned toward dual-sided liability: penalize both the site embedding the pixel and the platform ingesting the data, not just the government agency.
Some disagreement on intent – a minority argued government tracking citizenship eligibility for public services is defensible; majority rejected that framing given the ad-platform recipients.
Notable Comments
@offmycloud: “once you include someone else’s Javascript on your site, they have full access to everything” – flags developer education as a root cause, not just policy failure.
