Data Sharing Breach: U.S. Health Marketplaces Expose Sensitive Resident Information

Severity: High (Score: 64.5)

Sources: Techcrunch, Scworld

Summary

An investigation by Bloomberg revealed that nearly all 20 U.S. state-run health insurance marketplaces shared sensitive application information with major tech companies, including Google, Meta, and Snap. This data sharing involved personal details such as applicants' race, sex, and even information about incarcerated family members. Misconfigured pixel trackers on these government websites allowed for the unauthorized collection and transmission of this data. For example, New York's exchange shared sensitive applicant details, while Washington D.C.'s exchange transmitted sex and race information to TikTok, with some racial data being inadequately masked. Virginia removed a Meta tracker after it was found to be sharing ZIP codes. This issue affects over seven million Americans who purchased health insurance through these exchanges. The ongoing use of pixel trackers on government sites raises significant privacy concerns. The current status includes the pausing of certain trackers, but the full extent of the data exposure remains unclear. Key Points: • U.S. state health insurance marketplaces shared sensitive data with tech giants. • Misconfigured pixel trackers on government websites led to unauthorized data collection. • Over seven million Americans are potentially affected by this data exposure.

Key Entities

• Google (company)
• Meta (company)
• Snap (company)
• TikTok (platform)
• CWE-200 - Exposure of Sensitive Information (cwe)
• Healthcare (industry)
• T1567 - Exfiltration Over Web Service (mitre_attack)