Blue Shield Leaked Millions Of Patient Info To Google For Years

3 weeks ago

ARTICLE AD BOX

Blue Shield of California disclosed a awesome information breach, revealing that nan backstage wellness accusation of 4.7 cardinal members was shared pinch Google for years.

Blue Shield of California, a awesome wellness security provider, has announced that nan backstage wellness accusation of astir 4.7 cardinal of its members was exposed to Google’s advertizing and analytics services. This happened complete astir 3 years, from April 2021 to January 2024.

The insurer states (PDF) that they utilized Google Analytics to way really customers utilized their websites. A misconfiguration successful this setup allowed protected wellness accusation to beryllium collected arsenic well, including nan circumstantial words and phrases that patients typed into nan website to find doctors and different healthcare services.

On February 11, 2025, they discovered that Google Analytics had been group up successful a measurement that allowed immoderate personnel information to beryllium shared pinch Google’s advertizing platform, Google Ads, and it whitethorn person utilized it to show targeted ads to individual members, perchance compromising their privacy.

The accusation shared mightiness see nan security scheme name, group number, metropolis and zip code, gender, family size, Blue Shield assigned recognition numbers for online accounts, nan day of aesculapian service, sanction of nan expert aliases hospital, diligent owed amount, and position utilized erstwhile searching for a expert connected nan “Find a Doctor” tool. However, nan institution confirmed that individual information, for illustration Social Security numbers, driver’s licence numbers, aliases slope and in installments paper details, were not exposed successful this incident.

Blue Shield halted nan relationship betwixt Google Analytics and Google Ads connected its websites successful January 2024. The institution is now reviewing its websites and information procedures to forestall different search package from sharing members’ backstage wellness information.

In its breach notification, Blue Shield stated that it cannot corroborate if Google has seen immoderate circumstantial member’s information, but is informing each members who whitethorn person utilized their online accounts connected Blue Shield’s websites during that timeframe retired of caution.

The institution is reassuring members that nary malicious hackers were progressive successful nan incident that Google only utilized nan accusation for advertisements and has not shared nan backstage wellness specifications pinch anyone else, and expressed its committedness to safeguarding its members’ privacy

“Blue Shield takes this matter very earnestly and has already initiated measures to safeguard against akin early disclosures,” nan institution stated.

Given that nan institution had astir 4.5 cardinal members in 2022, this breach apt affects nan mostly of Blue Shield’s customers. According to nan U.S. Health Department’s Office of Civil Rights, nan Blue Shield of California information vulnerability is nan largest healthcare-related breach successful nan US truthful acold successful 2025.

Blue Shield is urging members to show their relationship statements and in installments reports for suspicious activity and if they fishy fraudulent activity aliases judge their personality has been stolen, they should study it to rule enforcement agencies. Members tin besides entree a free in installments study each 12 months from 3 main in installments reporting agencies aliases acquisition it directly.

Jim Routh, Chief Trust Officer astatine Saviynt, told Hackread.com that breaches for illustration this are apt to continue. He pointed retired that platforms for illustration Google Analytics cod behavioural and individual information for advertisement targeting, and it’s up to companies for illustration Blue Shield of California to decently configure these tools.

“While SSNs weren’t exposed, nan leaked health-specific information should ne'er person been shared. And nan truth that this breach was disclosed months aft it was discovered is besides concerning,” he said.

Since Google had entree to each that delicate health-related info for astir 3 years, there’s nary denotation nan institution flagged it aliases reported it. It raises immoderate superior questions: