Health insurer Blue Shield of California is notifying roughly 4.7 million people that their protected health information (PHI) was exposed to Google for years.
The data breach, the organization says, was the result of a website misconfiguration that resulted in members’ data being shared with the Google Ads advertising service.
Blue Shield of California has been using Google Analytics to internally track website usage on certain sites, “to improve the services” offered to members, the company says.
“On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information,” the health insurer announced earlier this month.
Blue Shield of California says that the connection between Google Analytics and Google Ads on its website was severed in January 2024, thus stopping the data leak.
The potentially exposed information includes names, family size, insurance plan details, city and zip code, account identifiers, medical claims details, patient financial responsibility, and doctor search information.
“Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” the insurer said.
Personal information such as Social Security number and driver’s license number was not exposed, and neither was banking or credit card information, the company says.
Blue Shield of California disclosed the data breach earlier this month without saying how many individuals were affected. This week, however, an update on the US Department of Health and Human Services’ data breach portal revealed that the incident likely impacts 4.7 million people.
“This isn’t just a technical misstep. It’s a HIPAA compliance failure. PHI should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements (BAAs) in place. When you consider the type of data potentially exposed (names, IP addresses, search terms, and in some cases sensitive health-related activity) the privacy implications are significant,” SOCRadar’s CISO Ensar Seker said in an emailed comment.
“What’s particularly troubling is the duration of exposure. Nearly three years before it was identified and addressed. That suggests a systemic gap in data flow visibility, audit logging, and vendor oversight. Many healthcare organizations unknowingly introduce risk through website trackers, pixel tags, and marketing scripts. Tools that are standard in e-commerce, but dangerously misapplied in regulated environments like healthcare,” Seker continued.
Indeed, the Blue Shield of California incident is not singular. In October 2022, non-profit healthcare provider Advocate Aurora Health revealed that a malformed tracking pixel exposed the PHI of 3 million people to Facebook and Google.
Related: Insurance Firm Lemonade Says API Glitch Exposed Some Driver’s License Numbers
Related: Call Records of Millions Exposed by Verizon App Vulnerability
Related: Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages
Related: DOJ-Collected Information Exposed in Data Breach Affecting 340,000