Blue Shield of California has suffered a data breach that may have included millions of patients protected health information being shared with Google Analytics and then Google Ads.
A listing on the US Department of Health and Human Services breach portal this week suggested as many as 4.7 million of the non-profit’s six million members may be affected.
The breach lasted for almost three years from April 2021 to January 2024 but the insurer only realised Google had access to the data in February 2025.
Blue Shield said that on 11 February 2025 it discovered that between April 2021 and January 2024, Google Analytics was configured to allow certain member data, likely including protected health information, to be shared with Google’s advertising product Google Ads.
Google may have used this data to conduct focused ad campaigns back to those individual members, it added.
Blue Shield said that due to the complexity and scope of the disclosures, it was unable to confirm whether any particular member’s specific information was affected.
Information that may have been impacted included:
- insurance plan name, type and group number;
- city and zip code;
- gender;
- family size;
- Blue Shield assigned identifiers for members’ online accounts;
- medical claim service date and service provider, patient name, and patient financial responsibility;
- and Find a Doctor search criteria and results such as location, plan name and type, provider name and type.
It believed there was no disclosure of other types of personal information, such as social security numbers, driver’s license numbers, or banking or credit card information.
However the insurer has advised members to review their account statements and to remain vigilant by closely reviewing their account statements and credit reports.
The insurer said in the notice of the data breach that: “Out of an abundance of caution, Blue Shield is providing notice to all members who may have accessed their member information on the potentially impacted Blue Shield websites during the relevant time frame.
“Blue Shield takes this matter very seriously and has already initiated measures to safeguard against similar future disclosures.”
Health & Protection has reported on several data breaches in recent times. One of the most severe was with Star Health Insurance, one of the largest health insurance companies in India, which reportedly had a data breach last year that may have exposed the confidential details of as many as 31 million people.
‘No bad actor’
Blue Shield said that like other health plans, it historically used third-party vendor service Google Analytics, to internally track website usage of members who entered certain Blue Shield sites.
“We were doing this to improve the services we provide to our members.”
Blue Shield said: “We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone.”
It said that it severed the connection between Google Analytics and Google Ads on its websites in January 2024.
Blue Shield said: “We have no reason to believe that any member data has been shared from Blue Shield’s websites with Google after the connection was severed.
“Upon discovering the issue, Blue Shield immediately initiated a review of its websites and security protocols to ensure that no other analytics tracking software is impermissibly sharing members’ protected health information.”
