4.7 Million People Are Affected by the Blue Shield of California Data Breach

Blue Shield of California, a health insurer, is informing around 4.7 million people that their private health information was unintentionally shared with Google over a period of several years due to a website error.

This issue arose from a misconfiguration in their website, causing members’ data to be shared with Google Ads, a service used for advertising. Blue Shield utilized Google Analytics to monitor website usage to enhance member services.

On February 11, 2025, the company discovered that from April 2021 to January 2024, the configuration allowed some member data to be shared with Google Ads, which likely included their private health information. The data exposure stopped in January 2024 when Blue Shield cut the connection between Google Analytics and Google Ads.

The potentially exposed information includes names, family size, insurance plan details, city and zip code, account identifiers, medical claims information, patient financial obligations, and doctor search data. Google might have targeted ads towards these members using the data. Blue Shield reassures its members that no hackers were involved, and as far as they know, Google only used this information for ads and did not share it with others.

Crucially, Social Security numbers, driver’s license numbers, banking information, and credit card details were not exposed, according to Blue Shield.

While Blue Shield disclosed the data breach earlier this month without stating how many individuals were affected, a recent update from the US Department of Health and Human Services’ data breach portal revealed the breach likely impacts 4.7 million people.

Ensar Seker, a cybersecurity expert, stated, "This is not only a technical mistake but a failure to comply with HIPAA rules." Private health information should not be sent to platforms like Google Ads or Google Analytics without explicit patient consent and proper agreements. Considering the types of data exposed, the privacy implications are serious.

The duration of nearly three years before the breach was detected and addressed indicates possible gaps in monitoring, audit logging, and vendor management. Many healthcare organizations inadvertently introduce risk with website tools commonly used in e-commerce, which are not suited for regulated healthcare environments.

This incident with Blue Shield is not an isolated case. In October 2022, Advocate Aurora Health also reported a tracking pixel issue that exposed the private health information of 3 million individuals to Facebook and Google.