Apr 10
/
Latest News
Health Insurance Sites Harvest and Sell Sensitive Consumer Data in Real Time
A disturbing new study conducted by researchers at UC Davis, Stanford, and Maastricht University has exposed the aggressive data-harvesting practices of health insurance lead generation websites. By monitoring 105 sites using 210 synthetic profiles, the team discovered that sensitive personal identifiable information (PII) is often captured and sold within seconds, frequently before a user even finishes typing or hits the submit button.
The investigation revealed that third-party scripts utilize JavaScript "event listeners" to record keystrokes in real time. This means even users who abandon a partially completed form have their names, phone numbers, and health conditions transmitted to third-party vendors. Furthermore, 70% of the sites leaked PII through URL headers, inadvertently sharing medical data with ad networks and analytics providers. In total, PII from these sites reached 73 distinct third parties, often with zero verification of the buyer’s intent or business legitimacy. Researchers were even able to buy their own test data for just four dollars.
The consequences of submitting data are immediate and overwhelming. The study recorded over 8,000 inbound calls, with half of the first contacts occurring within two minutes of submission. One profile received a staggering 1,676 calls over 60 days. To increase answer rates, 59% of callers utilized "neighbor spoofing" to mimic local area codes. Despite Florida’s legal limit of three calls per day, 22% of pairs exceeded this threshold, and many callers bypassed FCC-mandated opt-out language.
Worryingly, the study found that the lead generation ecosystem is rife with "placeholder" data. Some brokers assigned identical heights and weights to hundreds of leads, a practice that could lead to insurance underwriters calculating inaccurate premiums or risk scores. While phone-based opt-outs provided some relief, the researchers noted that the constant reselling of leads makes permanent removal nearly impossible. Once a lead enters the marketplace, it is often resold to buyers who have no visibility into original opt-out requests, leading to a persistent cycle of harassment and privacy violations.
The investigation revealed that third-party scripts utilize JavaScript "event listeners" to record keystrokes in real time. This means even users who abandon a partially completed form have their names, phone numbers, and health conditions transmitted to third-party vendors. Furthermore, 70% of the sites leaked PII through URL headers, inadvertently sharing medical data with ad networks and analytics providers. In total, PII from these sites reached 73 distinct third parties, often with zero verification of the buyer’s intent or business legitimacy. Researchers were even able to buy their own test data for just four dollars.
The consequences of submitting data are immediate and overwhelming. The study recorded over 8,000 inbound calls, with half of the first contacts occurring within two minutes of submission. One profile received a staggering 1,676 calls over 60 days. To increase answer rates, 59% of callers utilized "neighbor spoofing" to mimic local area codes. Despite Florida’s legal limit of three calls per day, 22% of pairs exceeded this threshold, and many callers bypassed FCC-mandated opt-out language.
Worryingly, the study found that the lead generation ecosystem is rife with "placeholder" data. Some brokers assigned identical heights and weights to hundreds of leads, a practice that could lead to insurance underwriters calculating inaccurate premiums or risk scores. While phone-based opt-outs provided some relief, the researchers noted that the constant reselling of leads makes permanent removal nearly impossible. Once a lead enters the marketplace, it is often resold to buyers who have no visibility into original opt-out requests, leading to a persistent cycle of harassment and privacy violations.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.