Healthcare.gov Handed Your Citizenship and Race Data to Ad Tech

If you want health insurance through the US marketplace, you go to healthcare.gov. While you’re filling out the application, the site is quietly shipping your citizenship status, race, pregnancy status, and income to Google, Meta, and a handful of ad analytics firms. This isn’t a fringe state portal. This is the federal government’s flagship enrollment site, and it’s been leaking the kind of data that should never touch an ad network.

What leaked, and to whom

The exposure spans healthcare.gov itself and several state-run marketplaces. As users fill out enrollment forms, fields like citizenship status, race and ethnicity, pregnancy, household income, and smoking status get picked up by third-party tracking pixels embedded in the pages.

The recipients are the usual suspects: Google, Meta, LinkedIn, and the analytics vendor Snowplow. From the moment the page loads, user behavior is tracked, and form values flow out as URL parameters or event payloads. Standard ad-tech plumbing — applied to deeply non-standard data.

Why this is a different kind of bad

Health data sits in the most-protected tier of US privacy law. HIPAA exists. State medical privacy statutes exist. And citizenship data carries political weight that goes beyond the legal category — it’s the kind of information that can change someone’s life depending on who holds it.

That’s the part that makes this story land harder right now. With the second Trump administration ramping up immigration enforcement, the question of “who is and isn’t a citizen” is no longer abstract. A dataset answering that question — even partially, even probabilistically — flowing through ad infrastructure is a structural threat. Google and Meta don’t have to weaponize it themselves. The data broker ecosystem launders this stuff into resale products as a matter of routine.

Why this keeps happening

The honest answer is boring. A government site is still a website. Someone wants to measure traffic, so they bolt on Google Analytics. Someone wants campaign attribution, so they drop in a Meta Pixel. The dev team thinks “this is standard marketing instrumentation,” and meanwhile the default config is happily slurping up form field values.

Then layer on government procurement. The site gets built by a contractor. The contractor reuses the ad SDKs they always use. Security review is a checkbox exercise. The Markup ran almost exactly this story about hospital websites and Meta in 2022. Four years later, same pixel, same payloads, different domain. The pattern is the point.

The pixel is a black box

From a user’s perspective, the maddening part is that you never consented to any of this. There is no screen on healthcare.gov that says “share your citizenship status with Google?” There’s a cookie banner, maybe, and that’s the entire negotiation.

Technically, this is baked into how ad pixels work. They have access to the whole DOM. Some have form-autocapture turned on by default. Unless a developer explicitly tells the pixel “do not exfiltrate this field,” everything goes. The trust model assumes a marketing landing page, not a federal benefits intake form.

The EU already drew a line

This is where the international gap matters. Multiple EU data protection authorities have ruled that government use of Google Analytics violates GDPR, full stop. France, Austria, Italy — all forced public sector sites to rip it out. The US has no equivalent regime for federal sites, and the result is on display: the most sensitive form on the federal web treating ad tech as ambient infrastructure.

The fix isn’t exotic. Sensitive forms should run on first-party analytics with no third-party scripts on the page. Citizenship and race fields should never share a network call with anything that ends in google-analytics.com or facebook.net. These are 2010s-era engineering decisions, not breakthroughs.

The takeaway

The reason the most-protected data leaks the most easily is that nobody flagged it as sensitive at the layer where it mattered. It got handled like normal web traffic. If citizenship status had been treated with the same paranoia as a credit card number, none of this would have happened.

Next time you fill out something sensitive on a government site, open the network tab. The view is uglier than you’d expect — and far busier than anyone ever told you.