Health lead‑gen sells data

You can type your phone number into a site that promises a health insurance quote and get a sales call before you’ve even finished comparing plans. A new study tracked 105 health insurance lead sites and found some of them passed user details to outside companies within seconds. (helpnetsecurity.com) The researchers from the University of California, Davis, Stanford University, and Maastricht University built 210 fake consumer profiles with unique phone numbers and email addresses. They submitted those profiles across the 105 sites and watched what happened for 60 days. (helpnetsecurity.com) They found one leak before the form was even sent. Third-party scripts on many pages captured what people typed, keystroke by keystroke, including names, phone numbers, email addresses, and health-condition details. (helpnetsecurity.com) They found a second leak after submission. Seventy percent of the sites put personal details directly into the page web address, which then exposed that data to advertising and analytics companies through referral headers. (helpnetsecurity.com) Across the 105 sites, personal data reached 73 outside parties. The buyers did not face much scrutiny either: the researchers signed up on three lead platforms and none required proof of a legitimate business purpose, an insurance license, or an explanation for how the data would be used. (helpnetsecurity.com) Some of the data for sale was not just sensitive but sloppy. One seller offered height and weight on every lead even though its own form never asked for those fields, and about 80 percent of the records used the same 65-inch and 175-pound values. (helpnetsecurity.com) The calls came fast and at scale. In the main study, 105 profiles received 8,214 inbound calls from 1,240 different phone numbers, and 78 percent of profiles got at least one call. (helpnetsecurity.com) Federal regulators have been circling this market for a while. On December 10, 2024, the Federal Trade Commission sent warning letters saying health-plan marketers and lead generators may be violating the law through deceptive claims and unsolicited calls, including robocalls and calls to numbers on the National Do Not Call Registry. (ftc.gov) The Federal Trade Commission escalated in August 2025, when it said Assurance IQ and MediaAlpha would pay a combined $145 million to settle allegations that they misled people looking for comprehensive health insurance and then bombarded them with telemarketing and robocalls. (ftc.gov) Medicare already has tighter rules than this corner of the broader market. The Centers for Medicare and Medicaid Services says marketing rules apply to Medicare Advantage and prescription drug plans, and current federal regulations bar third-party marketing organizations from sharing beneficiary data with another marketing organization without prior written consent. (cms.gov, ecfr.gov, cms.gov) The wider fight is moving toward data brokers too. In December 2024, the Consumer Financial Protection Bureau proposed treating brokers that sell sensitive personal information as consumer reporting agencies under the Fair Credit Reporting Act, which would force them to meet accuracy, access, and misuse-prevention rules. (consumerfinance.gov) What this study shows is simpler than any regulation: on some quote sites, “get my options” can function like “sell my details now.” Once that flow becomes normal, every app that asks about coverage, prescriptions, pregnancy, or symptoms starts with a trust problem it did not have a few years ago. (helpnetsecurity.com, arxiv.org)