20 State Health Exchanges Sent Your Citizenship, Race, and Prescription Drug Names to TikTok and Meta—Through the Same Pixels That Read Your Email

On May 4, 2026, Bloomberg News and TechCrunch published the results of a months long investigation into the websites that more than seven million Americans use to buy health insurance. The findings were not subtle. Nearly all 20 state run health insurance exchanges, plus the District of Columbia, were embedding tracking pixels that quietly forwarded applicant data to Google, Meta, TikTok, Snap, and LinkedIn. The data ranged from ZIP codes to immigration status to the actual names of prescription medications people were filling.

Bloomberg conducted the analysis with the privacy firm Feroot Security. The team scanned thousands of enrollment pages across every state exchange and ran a retargeting test that confirmed Meta could tie a journalist's visits to those pages back to their personal Facebook account. The pixel based tracking was not a back end accident. It was operating exactly as designed, on enrollment pages where people answer questions about their bodies, their families, and their legal status in the United States.

The technology at the center of the leak is the same one Gblock blocks every day in your inbox: a one pixel image embedded in a page or email that pings a third party server when it loads, fingerprinting the visitor and the device. The exchanges were not hacked. They simply pasted the trackers into their HTML the way a marketer pastes them into a newsletter.

What Each State Sent and Where It Went

Bloomberg and Feroot did not just confirm the trackers were present. They documented what they sent and to whom. The results were uneven across states, but every misconfiguration leaked something the applicant would never knowingly volunteer to a social platform.

• Washington, D.C. sent residents' sex, race, citizenship, email address, phone number, and country identifiers to TikTok. The TikTok tracker stripped out broad racial categories but left specific ethnicity details intact, what one expert quoted by Bloomberg called "a flawed and brittle process for filtering unwanted information."
• Virginia shared ZIP codes with Meta through its premium estimate calculator. A state spokesperson argued that ZIP codes are not personally identifying, a position that does not survive contact with the HIPAA safe harbor list, where ZIP codes are explicitly named as a quasi identifier.
• New York shared visited page paths with TikTok, Meta, Snap, and LinkedIn during the enrollment flow, including pages where applicants disclosed having an incarcerated family member.
• Nevada sent the names of specific prescription medications to LinkedIn and Snap. The example Bloomberg cited was Fluoxetine, the generic name for Prozac.
• Maine's CoverME.gov sent prescriptions and dosages to Google.
• Maryland trackers fired on Spanish language pages covering noncitizen pregnancy and DACA, leaking the very pieces of metadata that identify someone as undocumented.

Massachusetts, California, Maine, Nevada, and Rhode Island also showed tracker behavior of varying severity. Bloomberg has not yet published the comprehensive per state breakdown, but the firm's draft data covers all 20 marketplaces plus D.C.

The Same Pixel That Lives in Your Inbox

If a tracking pixel on a healthcare site sounds different from a tracking pixel in an email, it is not. The implementation is byte for byte identical. A 1x1 image element loads from a third party domain. The browser or email client fetches it. That fetch carries the IP address, the user agent, the referring page, and any query string parameters the publisher chose to attach. On a healthcare enrollment page those parameters can carry your race, your medications, or your country of origin. In a marketing email those parameters carry your address, the campaign ID, and a fingerprint that tells the sender exactly when you read the message and from which device.

The boundary between the two contexts has been blurring for years. Hospitals that quietly embedded the same pixels paid out more than 100 million dollars in settlements after class actions documented Meta Pixel firing on patient portals. France's CNIL gave email marketers until July 14 to drop default tracking pixels in inbox campaigns, treating the inbox the same way it has long treated cookies on the web. The pattern keeps repeating. Whenever a publisher's privacy obligations are higher than the regulator's enforcement bandwidth, third party pixels show up in places they were never meant to be.

Healthcare is the extreme version of that gap. Federal regulators have known about pixel based leakage for years. The Markup published its first investigation in 2022, finding 33 of the top 100 U.S. hospital websites running Meta Pixel against authenticated patient data. STAT followed in 2023 with a similar finding for telehealth providers. The Office for Civil Rights and the FTC sent joint warning letters to about 130 hospitals and telehealth firms. By 2025 the prevalence of trackers on hospital sites had dropped from roughly 98 percent to 30 percent, almost entirely because of class action settlements rather than enforcement actions.

A Texas Judge Already Took Most of HIPAA Off the Table

The investigation arrives in a regulatory environment that just got significantly worse for users. In June 2024, a federal judge in the Northern District of Texas ruled that the Department of Health and Human Services had exceeded its authority when it issued guidance extending HIPAA to "unauthenticated webpage tracking," meaning the tracking that fires on a site before a visitor logs in.

The ruling is exactly the regulatory crack that state exchanges have been operating in. The enrollment process happens before a HIPAA covered relationship has formally been established. By the time a person clicks "submit" on a plan selection, they have already loaded a dozen pages, told the form their state, their household size, their income bracket, and in the worst cases their immigration status, all while a Meta or TikTok pixel fires on every page transition. The judge's order means that none of that flow is clearly within the Office for Civil Rights' enforcement authority.

Without HIPAA enforcement, the only meaningful consequence comes from class action plaintiffs and a small number of state attorneys general. California's CPPA recently used its independent rulemaking authority to crack down on opt out signal violations, but no state agency has yet brought a case against its own health exchange. The conflict of interest is doing exactly what you would predict.

Meta and TikTok's "Detect and Filter" Defense

Asked to comment, Meta told Gizmodo: "We do not permit or want advertisers to share sensitive information with us through our business tools, and our systems are designed to detect and filter out information that appears potentially sensitive." This is the standard defense, and it has been the standard defense for the entire history of these tools. It is also obviously insufficient. The Bloomberg investigation succeeded by sending real prescription drug names through real exchange pages and watching them arrive at real ad tech endpoints. The "detect and filter" pipeline did not catch them. It almost never catches them, because the ad tech business model rewards ingesting more signal, not less.

After Bloomberg requested comment, Washington, D.C. paused its TikTok tracker rollout. Virginia removed the Meta pixel from its premium estimator. Both were quick fixes that arrived only because a major newsroom was about to publish their names. None of the other states named in the report had pulled their trackers as of publication. The default state of the entire system is for the data to keep flowing.

What This Means for Your Inbox

If a state government cannot keep tracking pixels off its own enrollment site, no one should expect a marketer to keep them out of an email. The healthcare context simply makes the underlying problem visible. The pixel is a generic tool, and any time it fires, somebody on the other end is harvesting whatever metadata the page or message offers up.

For email, the parameters in the pixel URL typically include the recipient's email address, a campaign identifier, and timestamps. With a single load, the sender learns when you opened the message, the city you opened it from, and the device you used. That is the same data the New York exchange leaked to Snap, except the email version arrives in your most personal communication channel and runs every time a marketer sends a campaign.

There is no realistic regulatory fix on the horizon. The Texas ruling has neutered HIPAA's reach. Federal privacy legislation is stuck. The only path that has produced visible behavior change is class action exposure, which is reactive and slow. The path users actually have control over is at the inbox itself: stripping the pixel before it loads, so it never gets a chance to phone home. That is the part Gblock handles in the email channel. The rest of the open web, including state insurance marketplaces, still requires a regulator with the authority and political will to act, and the Bloomberg investigation makes clear that neither is currently in supply.

What to Do If You Used a State Exchange in 2026

For the seven million Americans who enrolled through a state marketplace this year, the practical steps are limited but worth taking:

• Assume your enrollment metadata is in the ad tech graphs. Bloomberg's retargeting test confirmed Meta could tie page visits to a personal account. The data is already there.
• Check the state's tracker page. If your state pulled trackers after the Bloomberg report, that confirms the prior leak. The state typically posts a notice.
• Use a privacy focused browser such as Brave or Firefox with strict tracking protection, or install uBlock Origin. None of these stop a determined first party leak, but they reduce the tracker surface area for future visits.
• Block tracking pixels in your email. Marketing emails from health insurers, pharmacies, and pharma manufacturers carry the same pixel infrastructure. Blocking them in the inbox is the highest leverage step you can take, because it stops the data flow before it starts.
• File a complaint. If your state is named in the report and you enrolled this year, your state attorney general and your state insurance commissioner both have jurisdiction. The CPPA accepts complaints from California residents.

The Larger Pattern

The Bloomberg investigation is the third in a series of stories this year showing that the U.S. has effectively given up on policing tracking pixel placement. The OkCupid case showed that even an FTC consent order does not necessarily come with a fine. The hospital pixel cases produced settlements only after years of class action work. And now the state exchanges, which exist specifically because the federal government wanted Americans to have a trustworthy place to buy insurance, are leaking the most sensitive enrollment data to TikTok.

The technical fix is trivial. Strip the trackers, ship the change, audit the build pipeline. The political and institutional fix is much harder. Until it happens, the only reliable defense is the one that does not depend on the publisher caring: blocking the pixel at the receiving end, in the browser and in the inbox, before it has a chance to load.