Blue Shield of California shared private health data of 4.7 million members with Google without consent

A hot potato: Health insurance provider Blue Shield of California is notifying customers that it had been sharing the private health information of up to 4.7 million members with Google’s analytics and advertising platforms for three years without their knowledge or consent. A wide range of data was exposed, and it may have been used by Google for targeted ad purposes.

Blue Shield of California wrote on its website that it has begun notifying certain members of a potential data breach that may have included elements of their protected health information.

The issue stems from Blue Shield using Google Analytics to internally track website usage of members who entered certain Blue Shield sites.

On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, a misconfiguration of Google Analytics on certain Blue Shield sites allowed members’ sensitive health data to be shared with Google Ads.

The shared data may have included insurance plan details, addresses, gender, family size, Blue Shield-assigned account identifiers, financial responsibility info, and search queries and results for the “Find a Doctor” tool (location, plan name and type, provider name and type).

The notice adds that Google may have used this data to carry out targeted ad campaigns against individual members. That’s certainly unnerving when private, personal health details are being exploited.

Blue Shield says it ended its relationship with Google Analytics and Google Ads on its websites in January 2024.

Blue Shield writes that Social Security numbers, driver’s license numbers, and banking or credit card information were not disclosed. However, it’s recommended that members closely review their account statements and credit reports for anything suspicious. There are also recommendations to order a free credit report and place a fraud alert on it.

Companies tend to offer free identity fraud and theft protection in cases like these, but there’s no mention of Blue Shield offering these services. The notice’s “What we are doing” section simply states that Blue Shield “regrets” what happened; there’s no actual apology.

Blue Shield isn’t the first healthcare firm to make this mistake. As noted by TechCrunch, insurance giant Kaiser said it shared the data of 13 million patients with advertisers, including Google, Microsoft, and X, after embedding tracking code on its website. Cerebral, Monument, and Tempest also shared patients’ personal and health information with advertisers.

Masthead: Steve Rhodes