Napa, CA – In a disturbing revelation, forensic testing conducted by CalMatters has uncovered that Covered California, the state’s health insurance exchange under the Affordable Care Act, has been sharing sensitive personal information with LinkedIn. The data, which includes answers to health-related questions, was transmitted without users’ knowledge or consent.

Sensitive Health Information Compromised

As visitors filled out forms on the Covered California website, trackers on the pages silently sent sensitive health details to LinkedIn. Information collected included answers to questions about pregnancy status, prescription medication use, and whether individuals identified as transgender or were victims of domestic abuse. These details, which are highly personal and health-related, were sent to LinkedIn via an advertising tool known as the Insight Tag.

The data shared also included users’ selections of doctors and hospitals, including the types of specialists they were seeking or whether specific facilities were covered under their health plan. While some of the information may appear innocuous, experts raised alarms about the inappropriate use of such sensitive data by a social media platform, particularly for commercial advertising purposes.

A Month-Long Advertising Campaign

The data leak began in February 2024, when Covered California initiated an advertising campaign that involved LinkedIn. The campaign continued until early April 2025, when it was disabled following public exposure of the issue. Kelly Donohue, a spokesperson for Covered California, confirmed that the data was sent as part of an advertising strategy managed by an external marketing agency. The organization has since removed all advertising-related tracking tags as a precautionary measure.

“We were unaware of the extent to which this data was being shared,” Donohue said in a statement. “To ensure privacy going forward, all active advertising-related tags across our website have been turned off.”

However, experts have raised concerns about the broader implications of this oversight, questioning how long such sensitive information could have been exposed and how it might have been used.

Privacy Experts React

The disclosure has prompted strong reactions from privacy advocates. Sara Geoghegan, senior counsel at the Electronic Privacy Information Center, called the practice “invasive and concerning,” noting that health information was being shared with a platform that has no legitimate need for it.

“It’s unfortunate,” Geoghegan said. “People don’t expect that their health information will be collected and used in this way.”

Health data is considered some of the most sensitive personal information, and its use is tightly regulated. While Covered California is not necessarily subject to HIPAA regulations, experts argue that the collection and distribution of such data may still violate state privacy laws, including the California Consumer Privacy Act (CCPA), which requires businesses to obtain consumer consent before collecting and sharing personal information.

The Scale of the Problem

Covered California’s website was found to have more than 60 tracking tools embedded—far more than the average of three found on other government websites across the state. Many of these tools came from large social media companies, including Meta and LinkedIn, while lesser-known entities like LiveIntent, an email marketing company, also had access to users’ browsing activities.

This level of tracking is significantly higher than what is typically seen on state or local government sites, where privacy concerns should be a top priority. Experts say that this could signal a systemic problem within Covered California’s privacy and security protocols, as well as broader issues with data collection practices in public health websites.

A History of Success

Covered California, an independent entity operating within the California government, has been praised for its role in expanding access to health insurance in the state. As of 2023, nearly 2 million people were enrolled through the platform, contributing to a dramatic reduction in California’s uninsured rate—from 17.2% in 2014 to 6.4% in 2023, the largest drop of any state. But experts worry that the breach of trust may undermine the platform’s hard-earned reputation.

Addressing the Issue

In response to the scandal, Covered California has promised a full review of its data collection and privacy practices. Donohue said the organization would take “any necessary steps” to ensure the security and privacy of consumer data moving forward. The agency is also committed to sharing additional findings with the public as they arise.

However, some are skeptical that the damage has already been done. The exposure of such private health information to a major social media platform raises serious questions about the ongoing vulnerability of personal data in the digital age, especially on government websites meant to protect citizens’ health.

The revelation serves as a stark reminder that even well-intentioned public programs may struggle to safeguard personal information in the age of ubiquitous tracking and digital advertising. For millions of Californians, the breach highlights the need for more robust privacy protections and greater transparency in how sensitive data is collected and shared online.

As Covered California continues its review, privacy advocates will be watching closely to ensure the security of personal health information is prioritized—and that trust in the state’s health exchange remains intact.