During the State of the Union address, President Obama announced a new initiative to protect Americans’ personal information online. The first place he might want to look is the government’s own HealthCare.Gov.

Inspections by tech experts from Catchpoint Systems and the Associated Press found over 50 third-party sites connected to HealthCare.Gov. (That many connections running in the background could help explain slow loading on the site.) These data companies can’t see your name, birth date or Social Security number, but they may have access to a visitor’s age, income, ZIP code, even whether they smoke or are pregnant. And the right combination could correlate these with other internet browsing habits.

It’s not that data collection is unusual on the web, but for these to be on a government site that deals with sensitive medical information is more troubling than your average ad customization.

Why are such third-party trackers even there?

The Obama administration says advertising and Web analytics sites have access to HealthCare.Gov to measure performance and streamline visitors’ experience. The sites are not to use any information collected for their companies’ purposes.

Mehdi Daoudi, CEO of Catchpoint Systems which investigated the site, isn’t convinced these vendors are necessary for the stated purpose. “Anything that is health-related is something very private. Personally, I look at this… government website, and I don’t know what is going on between the government and Facebook, and Google, and Twitter. Why is that there?

Outside vendors on a website are a potential point of failure and often “the weakest link in your privacy and security chain,” says another cybersecurity consultant who worked for the Bush administration.

She also questioned the number and type of vendors attached to HealthCare.Gov, calling it “overkill.” “You don’t need all of that data to do customer service. We know hackers are just waiting at the door, salivating to get at this data.”

So far, there’s been no evidence of misuse. But we don’t need violations to occur before we can be concerned about the threat. All the pieces are there – they just need the right person to put the data together, and then we’ll have a really serious breach of privacy.

The goal for this period of Obamacare enrollment is 9 million by February 15. With that many visitors, why would we just wait for the inevitable breach to happen?