Blue Shield of California shared members' private health information with Google for nearly three years, the insurance giant revealed earlier this month.
The data leak potentially impacts the protected health information of 4.7 million people, according to the company's submission to the Department of Health and Human Services' Office for Civil Rights' (HHS OCR's) breach portal.
Blue Shield, like many other health plans, historically used Google Analytics, a third-party vendor service, to internally track how its customers used its websites.
"We were doing this to improve the services we provide to our members," the company wrote in a data breach notice on its website posted April 9.
Feb. 11, the company discovered that during a nearly three-year time frame, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information, the health insurer said.
"Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone," Blue Shield said.
Due to this misconfiguration, Blue Shield may have shared collected health data with Google including insurance plan name, type and group number along with personal information like patients' names, city, ZIP code, gender and family size as well as Blue Shield assigned identifiers for members’ online accounts, medical claim service date and service provider and patient financial responsibility. The collected data also may have included “Find a Doctor” search criteria and results, such as location, plan name and type, provider name and type.
Blue Shield said there was no disclosure of other types of personal information, such as Social Security numbers, driver’s license numbers or banking or credit card information.
The company severed the connection between Google Analytics and Google Ads on its websites in January 2024.
"We have no reason to believe that any member data has been shared from Blue Shield’s websites with Google after the connection was severed. Upon discovering the issue, Blue Shield immediately initiated a review of its websites and security protocols to ensure that no other analytics tracking software is impermissibly sharing members’ protected health information," the company said.
Blue Shield has 4.8 million members, according to a 2024 press release, so the data breach impacts nearly all of its members.
"Out of an abundance of caution, Blue Shield is providing notice to all members who may have accessed their member information on the potentially impacted Blue Shield websites during the relevant time frame," the company said.
“The industry is likely to see similar types of data breaches going forward," Jim Routh, chief trust officer at Saviynt, an identity security solutions company, said in an email to Fierce Healthcare. "Google has invested in and implemented highly sophisticated data models (Google Analytics) to harvest user online behavioral information (what products are consumed) along with individual attributes, which is then packaged for advertising platforms. The settings for Google Analytics and similar platforms need to be configured and reviewed by the healthcare insurance provider (Blue Shield of California) and other enterprises sharing consumer information."
“The good news is that this data did not include SSNs and other sensitive information, but the bad news is it was health-specific information for consumers that should not be shared. The notification of this incident comes several months after it was identified in February 11, 2025," Routh said.
Ensar Seker, chief information security officer at cybersecurity company SOCRadar, said the unintentional exposure of protected health information from 4.7 million members to Google’s analytics and advertising platforms "raises serious questions about how healthcare providers manage third-party tracking technologies."
"This isn’t just a technical misstep. It’s a HIPAA compliance failure. PHI should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements (BAAs) in place. When you consider the type of data potentially exposed, names, IP addresses, search terms, and in some cases sensitive health-related activity, the privacy implications are significant. Such data can be used to infer medical conditions, insurance status, or treatment history, and that creates a risk not just of identity theft, but of discrimination, stigma, and profiling," Seker said.
Hospitals and health systems have landed in hot water over their use of third-party web tracking technologies such as Meta Pixel and Google Analytics. A study suggests that more than 9 in 10 hospitals’ homepages have at least one third-party cookie.
A June 2022 investigation from The Markup raised the issue that the use of an ad tracking tool may violate the federal Health Insurance Portability and Accountability Act (HIPAA). The controversy spurred lawsuits costly class-action lawsuits. Disgruntled patients filed individual and class-action lawsuits against providers for sharing their personally identifying information through website trackers.
In December 2022, HHS’ OCR issued guidance to hospitals warning that the services are a likely HIPAA violation.
Since then, the OCR and the Federal Trade Commission have sent warning letters to more than a hundred hospital systems and telehealth providers that have integrated the tools into their websites or apps, which were made public in September (PDF).
The duration of exposure, nearly three years before it was identified and addressed, also is a troubling factor, Seker noted. "That suggests a systemic gap in data flow visibility, audit logging, and vendor oversight. Many healthcare organizations unknowingly introduce risk through website trackers, pixel tags, and marketing scripts tools that are standard in e-commerce, but dangerously misapplied in regulated environments like healthcare," Seker said.
He added, "At the end of the day, this incident wasn’t about a hacker breaking in, it was about data leaking out due to weak controls. And that’s often the more dangerous, and more preventable, type of breach."
Paul Bischoff, consumer privacy advocate at Comparitech, a company that provides reviews of cybersecurity services and products, said individuals impacted by the data breach should be on the lookout for insurance fraud. "Check your hospital bills and prescriptions for any unfamiliar charges that could indicate someone else is using your insurance to get drugs or other care in your name," Bischoff said.