Blue Shield of California data breach leaked millions of users’ health data to Google

(KRON) — A blockbuster potential data breach may have led to millions of Blue Shield of California members having their private health information shared with Google and used to target them with ads. That’s according to a notice the Oakland-based health insurance provider posted earlier this month.

According to the notice, Blue Shield discovered on Feb. 11 of this year that between April 2021 and January 2024, the insurance provider configured its Google Analytics account in a way that “allowed certain member data to be shared with Google’s advertising product, Google Ad.”

“That likely included protected health information,” Blue Shield added.

In the notice, Blue Shield explained that it used Google Analytics “to internally track website usage of members who entered certain Blue Shield sites.” As a result, members who accessed member information on Blue Shield websites during the above timeline may have had their data compromised.”

As a result of the leak, “Google may have used this data to conduct focused ad campaigns back to those individual members,” Blue Shield said. “We want to assure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared protected information with anyone.”

According to a government filing with the U.S. Department of Health and Human Services Office for Civil Rights, roughly 4.7 million people have been impacted by the breach. Blue Shield said the kind of information it potentially leaked to Google Ads includes:

• Insurance plan name, type and group number
• City
• Zip code
• Gender
• Family size
• Blue Shield assigned identifiers for members’ online accounts
• Medical claims service date and service provider
• Patient name
• Patient financial responsibility
• “Find a Doctor” search criteria and results

Blue Shield said there was no disclosure of Social Security or driver’s license numbers, or banking and credit card info. Blue Shield severed the connection between Google Analytics and Google Ads on its websites in January 2024.