Blue Shield of California has notified members of a data breach that may have impacted protected health information. Due to the complexity and scope of the disclosures, Blue Shield is unable to confirm whether any particular member’s specific information was affected.

Like other health plans, Blue Shield historically used the third-party vendor service, Google Analytics, to internally track website usage of members who entered certain Blue Shield sites. We were doing this to improve the services we provide to our members.

On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information. Google may have used this data to conduct focused ad campaigns back to those individual members.

Blue Shield severed the connection between Google Analytics and Google Ads on its websites in January 2024.  Upon discovering the issue, Blue Shield immediately initiated a review of its websites and security protocols to ensure that no other analytics tracking software is impermissibly sharing members’ protected health information.

Potentially impacted information included: Insurance plan name, type and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and “Find a Doctor” search criteria and results (location, plan name and type, provider name and type).

Ensar Seker, CISO at SOCRadar, says "In this case, the unintentional exposure of protected health information (PHI) from 4.7 million members to Google’s analytics and advertising platforms raises serious questions about how healthcare providers manage third-party tracking technologies. This isn’t just a technical misstep. It’s a HIPAA compliance failure. PHI should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements (BAAs) in place. When you consider the type of data potentially exposed (names, IP addresses, search terms, and in some cases sensitive health-related activity) the privacy implications are significant. Such data can be used to infer medical conditions, insurance status, or treatment history, and that creates a risk not just of identity theft, but of discrimination, stigma, and profiling."

"What’s particularly troubling is the duration of exposure. nearly three years before it was identified and addressed. That suggests a systemic gap in data flow visibility, audit logging, and vendor oversight. Many healthcare organizations unknowingly introduce risk through website trackers, pixel tags, and marketing scripts. tools that are standard in e-commerce, but dangerously misapplied in regulated environments like healthcare."

Paul Bischoff, Consumer Privacy Advocate at Comparitech, says "Victims should be on the lookout for insurance fraud. Check your hospital bills and prescriptions for any unfamiliar charges that could indicate someone else is using your insurance to get drugs or other care in your name."

Aditya K. Sood, VP of Security Engineering and AI Strategy at Aryaka, says "This incident underscores the critical importance of strong data governance for health organizations. By limiting third-party access and collecting only necessary data, organizations can maintain control over their data and reduce the risk of incidents like the Blue Shield data leak. Enhanced staff training, transparent patient communication, and secure system configurations are also crucial to prevention. Prioritizing encryption, having a clear incident response, and fostering a privacy-focused culture are non-negotiable for protecting patient health information. By self-regulating and always considering the potential downstream effects of data sharing, organizations can prioritize their own privacy and that of their patients, fostering a sense of security and control."