STATE HEALTH SITES LEAK DATA TO BIG TECH

Multiple state healthcare sites are transmitting personal data to large technology platforms, raising significant privacy concerns. The shared information includes location history, racial demographics, and immigration status—details typically considered sensitive health-related information. The data flows occur through tracking tools and analytics embedded on state health websites. These tools, commonly used for measuring web traffic and user behavior, often send information to third-party companies including Meta and TikTok. States affected include those running their own healthcare marketplaces and enrollment systems. The practice appears widespread but largely undisclosed to users accessing these sites for health insurance information and enrollment. Current Privacy Gaps Existing privacy regulations like HIPAA do not adequately cover these data-sharing practices. HIPAA protects health information held directly by healthcare providers and insurers, but does not extend to state websites or the third-party tracking tools they employ. State privacy laws vary significantly in scope and enforcement. Many states lack specific regulations governing how personal information can be shared with tech platforms, leaving gaps in protection even where privacy laws exist. Industry Practice The integration of tracking and analytics tools on government health sites reflects broader industry practice. Many public websites use similar tools to monitor user engagement and traffic patterns. However, the sensitivity of health-related data—combined with the involvement of major social media platforms with significant advertising capabilities—distinguishes this situation from standard website analytics. Path Forward The issue highlights growing tension between government digital services and data privacy. Privacy advocates are calling for stronger regulations to restrict data sharing from health websites and greater transparency about tracking practices on government platforms. Some proposals include requiring explicit user consent before data sharing, limiting what types of information can be transmitted to third parties, and extending privacy protections to government health websites specifically.