State-run healthcare exchanges selling data is latest expansion of threat surface

State-run healthcare exchanges might be sharing your personal data with advertising companies and large tech firms—and potentially boosting the potential for cyberattacks.

A May 4 Bloomberg investigation found that almost all 20 state-run health exchanges in the US use ad trackers, raising privacy and ethical concerns. When users of those exchanges interact with information or enrollment web pages, trackers may be sending their data to Meta and other companies.

State services making personal data available to third parties isn’t a new issue, said DeleteMe CEO and co-founder Rob Shavell. State-run DMVs have been selling data for years: “As long as they disclose some of these activities appropriately, their lawyers are telling them to go ahead and make some money with our data.”

Deep problems. Attackers utilize personal information from across multiple platforms, including the data brokers who leverage ad trackers. They deploy the data for spear phishing and other social-engineering attacks—and it behooves IT pros to stay aware of the threats.

Add AI to the equation, Shavell said, and the danger only increases.

“It’s more insidious than yesterday’s hackers looking for a technical vulnerability, because any kind of attack that you can think of that relates to human psychology, trust, that kind of thing, can be formulated again with the help of AI to make it appear very realistic, very clever,” Shavell said. “It can be done over a longer period of time through automation, and that means that something that doesn’t look or feel like an obvious attack.”

Keep it clear. For IT pros who want to address employee concerns about data leakage or hacks, it’s important to manage expectations around information insecurity and the potential for attacks. There’s no silver bullet, but there are some tactics to deal with the problem—access management being a top priority.

The healthcare system insecurity is part of that threat ecosystem, Shavell said. Organizations need to focus on working with staff to protect their personally identifiable information (PII) and avoid unnecessary openings that attackers can leverage.

“Make sure that employees overall don’t have broadly available PII floating around out there about them, their personal life, their family, and the company all easily available in data broker profiles,” Shavell told IT Brew. “Show them that they’re being protected, what kind of internal threat intelligence, what kind of privacy protection tools that are currently running within the organization.”