Blue Shield Leaked Millions of Patient Info to Google for Years

Blue Shield of California exposed the health data of 4.7 million members to Google for years due to a Google Analytics misconfigured setup. No SSNs leaked.

Blue Shield of California, a major health insurance provider, has announced that the private information of about 4.7 million of its members was exposed to Google’s advertising and analytics services. This happened over nearly three years, from April 2021 to January 2024.

The insurer states (PDF) that they used Google Analytics to track how customers used their websites. A misconfiguration in this setup allowed protected health information to be collected as well, including the specific words and phrases that patients typed into the website to find doctors and other healthcare services.

On February 11, 2025, they discovered that Google Analytics had been set up in a way that allowed some member data to be shared with Google’s advertising platform, Google Ads, and it may have used it to show targeted ads to individual members, potentially compromising their privacy.

The information shared might include the insurance plan name, group number, city and zip code, gender, family size, Blue Shield assigned identification numbers for online accounts, the date of medical service, name of the doctor or hospital, patient owed amount, and terms used when searching for a doctor on the “Find a Doctor” tool. However, the company confirmed that personal information, like Social Security numbers, driver’s license numbers, or bank and credit card details, were not exposed in this incident.

Blue Shield halted the connection between Google Analytics and Google Ads on its websites in January 2024. The company is now reviewing its websites and security procedures to prevent other tracking software from sharing members’ private health information.

In its breach notification, Blue Shield stated that it cannot confirm if Google has seen any specific member’s information, but is informing all members who may have used their online accounts on Blue Shield’s websites during that timeframe out of caution.

The company is reassuring members that no malicious hackers were involved in the incident that Google only used the information for advertisements and has not shared the private health details with anyone else, and expressed its commitment to safeguarding its members’ privacy

“Blue Shield takes this matter very seriously and has already initiated measures to safeguard against similar future disclosures,” the company stated.

Given that the company had around 4.5 million members in 2022, this breach likely affects the majority of Blue Shield’s customers. According to the U.S. Health Department’s Office of Civil Rights, the Blue Shield of California data exposure is the largest healthcare-related breach in the US so far in 2025.

Blue Shield is urging members to monitor their account statements and credit reports for suspicious activity and if they suspect fraudulent activity or believe their identity has been stolen, they should report it to law enforcement agencies. Members can also access a free credit report every 12 months from three main credit reporting agencies or purchase it directly.

Jim Routh, Chief Trust Officer at Saviynt, told Hackread.com that breaches like this are likely to continue. He pointed out that platforms like Google Analytics collect behavioural and personal data for ad targeting, and it’s up to companies like Blue Shield of California to properly configure these tools.

“While SSNs weren’t exposed, the leaked health-specific data should never have been shared. And the fact that this breach was disclosed months after it was discovered is also concerning,” he said.

Since Google had access to all that sensitive health-related info for nearly three years, there’s no indication the company flagged it or reported it. It raises some serious questions:

• If they did, did they quietly use it for ad targeting?

• Why didn’t any internal safeguards catch that health data was coming through?