News is out that Blue Shield of California leaked the health data of 4.7 million members to Google. And upon reading this, my jaw hit the ground:
Blue Shield said it used Google Analytics to track how its customers used its websites, but a misconfiguration had allowed for personal and health information to be collected as well, such as the search terms that patients used on its website to find healthcare providers.
The insurance giant said Google “may have used this data to conduct focused ad campaigns back to those individual members.”
Blue Shield said the collected data also included insurance plan names, types and group numbers, along with personal information such as patients’ city, zip code, gender and family size. Details of Blue Shield-assigned member account numbers, claim service dates and service providers, patient names and patients’ financial responsibility were also shared.
Per a legally required disclosure with the U.S. government’s health department, Blue Shield of California said it is notifying 4.7 million individuals affected by the breach. The breach is thought to affect the majority of its customers; Blue Shield had 4.5 million members as of 2022.
Ensar Seker, CISO at SOCRadar:
“In this case, the unintentional exposure of protected health information (PHI) from 4.7 million members to Google’s analytics and advertising platforms raises serious questions about how healthcare providers manage third-party tracking technologies.”
“This isn’t just a technical misstep. It’s a HIPAA compliance failure. PHI should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements (BAAs) in place. When you consider the type of data potentially exposed (names, IP addresses, search terms, and in some cases sensitive health-related activity) the privacy implications are significant. Such data can be used to infer medical conditions, insurance status, or treatment history, and that creates a risk not just of identity theft, but of discrimination, stigma, and profiling.”
“What’s particularly troubling is the duration of exposure. nearly three years before it was identified and addressed. That suggests a systemic gap in data flow visibility, audit logging, and vendor oversight. Many healthcare organizations unknowingly introduce risk through website trackers, pixel tags, and marketing scripts. tools that are standard in e-commerce, but dangerously misapplied in regulated environments like healthcare.”
“At the end of the day, this incident wasn’t about a hacker breaking in, it was about data leaking out due to weak controls. And that’s often the more dangerous, and more preventable, type of breach.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Victims should be on the lookout for insurance fraud. Check your hospital bills and prescriptions for any unfamiliar charges that could indicate someone else is using your insurance to get drugs or other care in your name.”
“Patients might have seen ads targeted at them based on confidential information in Blue Shield’s database.”
“The wildest part about this is that it happened over nearly three years. Luckily, it doesn’t seem like cybercriminals took advantage. The only unauthorized third party that saw the leaked data was Google, according to the disclosure. It doesn’t seem like Google shared identifiable info with any of its advertisers or publishers on Google Ads.”
This is firmly within the realm of WTF. I simply cannot believe that something like this happened as you would never happen. But in this case, it did. And normally I would say that there needs to be an investigation by the relevant government authorities and making sure that those who are responsible for this monumental screw up are punished. But given the times that the US are living in, I am going to guess that this won’t happen.
UPDATE: Jim Routh, Chief Trust Officer at Saviynt provided the following comments:
“The industry is likely to see similar types of data breaches going forward. Google has invested in and implemented highly sophisticated data models (Google Analytics) to harvest user online behavioral information (what products are consumed) along with individual attributes, which is then packaged for advertising platforms. The settings for Google Analytics and similar platforms need to be configured and reviewed by the healthcare insurance provider (Blue Shield of California) and other enterprises sharing consumer information.
“The good news is that this data did not include SSNs and other sensitive information, but the bad news is it was health-specific information for consumers that should not be shared. The notification of this incident comes several months after it was identified (February 11, 2025).”
Related
This entry was posted on April 23, 2025 at 2:59 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Blue Shield of CA Leaked PHI of 4.7 Million Members to Google…. WTF??
News is out that Blue Shield of California leaked the health data of 4.7 million members to Google. And upon reading this, my jaw hit the ground:
Blue Shield said it used Google Analytics to track how its customers used its websites, but a misconfiguration had allowed for personal and health information to be collected as well, such as the search terms that patients used on its website to find healthcare providers.
The insurance giant said Google “may have used this data to conduct focused ad campaigns back to those individual members.”
Blue Shield said the collected data also included insurance plan names, types and group numbers, along with personal information such as patients’ city, zip code, gender and family size. Details of Blue Shield-assigned member account numbers, claim service dates and service providers, patient names and patients’ financial responsibility were also shared.
Per a legally required disclosure with the U.S. government’s health department, Blue Shield of California said it is notifying 4.7 million individuals affected by the breach. The breach is thought to affect the majority of its customers; Blue Shield had 4.5 million members as of 2022.
Ensar Seker, CISO at SOCRadar:
“In this case, the unintentional exposure of protected health information (PHI) from 4.7 million members to Google’s analytics and advertising platforms raises serious questions about how healthcare providers manage third-party tracking technologies.”
“This isn’t just a technical misstep. It’s a HIPAA compliance failure. PHI should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements (BAAs) in place. When you consider the type of data potentially exposed (names, IP addresses, search terms, and in some cases sensitive health-related activity) the privacy implications are significant. Such data can be used to infer medical conditions, insurance status, or treatment history, and that creates a risk not just of identity theft, but of discrimination, stigma, and profiling.”
“What’s particularly troubling is the duration of exposure. nearly three years before it was identified and addressed. That suggests a systemic gap in data flow visibility, audit logging, and vendor oversight. Many healthcare organizations unknowingly introduce risk through website trackers, pixel tags, and marketing scripts. tools that are standard in e-commerce, but dangerously misapplied in regulated environments like healthcare.”
“At the end of the day, this incident wasn’t about a hacker breaking in, it was about data leaking out due to weak controls. And that’s often the more dangerous, and more preventable, type of breach.”
Paul Bischoff, Consumer Privacy Advocate at Comparitech:
“Victims should be on the lookout for insurance fraud. Check your hospital bills and prescriptions for any unfamiliar charges that could indicate someone else is using your insurance to get drugs or other care in your name.”
“Patients might have seen ads targeted at them based on confidential information in Blue Shield’s database.”
“The wildest part about this is that it happened over nearly three years. Luckily, it doesn’t seem like cybercriminals took advantage. The only unauthorized third party that saw the leaked data was Google, according to the disclosure. It doesn’t seem like Google shared identifiable info with any of its advertisers or publishers on Google Ads.”
This is firmly within the realm of WTF. I simply cannot believe that something like this happened as you would never happen. But in this case, it did. And normally I would say that there needs to be an investigation by the relevant government authorities and making sure that those who are responsible for this monumental screw up are punished. But given the times that the US are living in, I am going to guess that this won’t happen.
UPDATE: Jim Routh, Chief Trust Officer at Saviynt provided the following comments:
“The industry is likely to see similar types of data breaches going forward. Google has invested in and implemented highly sophisticated data models (Google Analytics) to harvest user online behavioral information (what products are consumed) along with individual attributes, which is then packaged for advertising platforms. The settings for Google Analytics and similar platforms need to be configured and reviewed by the healthcare insurance provider (Blue Shield of California) and other enterprises sharing consumer information.
“The good news is that this data did not include SSNs and other sensitive information, but the bad news is it was health-specific information for consumers that should not be shared. The notification of this incident comes several months after it was identified (February 11, 2025).”
Share this:
Like this:
Related
This entry was posted on April 23, 2025 at 2:59 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.