Blue Shield of California Exposed Data of 4.7 Million to Google

Blue Shield of California has revealed that a misconfiguration in Google Analytics caused the unintentional exposure of sensitive health information for 4.7 million members. Between April 2021 and January 2024, certain member data was inadvertently shared with Google Ads — without the consent or knowledge of affected individuals.

In an official breach notice, the insurer stated: “On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google's advertising product, Google Ads, that likely included protected health information.” The leaked information included insurance plan details, ZIP codes, gender, family size, Blue Shield-assigned account identifiers, medical claim service dates, provider names, patient names, and financial responsibility data.

According to TechCrunch, Blue Shield had been using Google Analytics to monitor how users navigated its website. However, a misconfiguration allowed the collection of personal and health-related information, including search terms patients used to find healthcare providers. The company acknowledged that Google “may have used this data to conduct focused ad campaigns back to those individual members.”

The Register further reported that Blue Shield’s setup “would send visitor data to Google Analytics,” which then forwarded it to Google Ads as a result of the configuration issue. In response, Blue Shield sought to calm concerns, stating: “We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone.”

Google, in a statement to TechCrunch, responded: “Businesses, not Google, manage the data they collect and must inform users about its collection and use.”

Although the incident was caused by a technical oversight, it still raises serious concerns about digital privacy in healthcare. Blue Shield's situation mirrors broader issues in the industry, such as the Norton Healthcare breach, in which attackers exfiltrated patient data during a cyberattack. While Blue Shield’s case lacked malicious intent, it underscores the risks of relying on third-party tools without thorough oversight.

The incident also invites comparisons to the 2023 HCA Healthcare breach, where patient data was deliberately stolen and sold. Though Blue Shield says it cut off the data flow in January 2024 and launched a system-wide review, it has not offered identity protection services and concedes that it “is unable to confirm whether any particular member's specific information was affected.”