On April 9, 2025, Blue Shield of California announced a website tracking-related privacy breach affecting user information being shared with Google Ads. The medical insurance plan company reported the breach to the HHS’ Office for Civil Rights (OCR), impacting around 4.7 million people. This incident is the second-biggest healthcare data breach ever reported in 2024, following Yale New Haven Health System’s 5.5 million-record data breach.
Blue Shield of California mentioned that, like other health plans, it installed Google Analytics to monitor visitors’ activities while using some Blue Shield web pages. Google Analytics is widely employed by website owners to get details about their website traffic. It records information, for example, how they arrived at a website and the web pages they looked at. The data may be used to enhance the site and user experience.
On February 11, 2025, Blue Shield of California discovered that Google Analytics was set up in a way that led to sharing member data with Google Ads for nearly 3 years. From April 2021 to January 2024, the result of this wrong setup is the collection of members’ protected health information (PHI), which is used to personalize the ads seen by the members online via the Google Ads platform.
The types of information possibly exposed and employed for serving personalized ads differed from person to person, depending on their use of Blue Shield webpages. The exposed data probably contained patient names, names of insurance plans, type and group number, gender, city, zip code, family size, Blue Shield given identifiers for members’ online accounts, medical claim service date and provider, and patient financial accountability. If site visitors utilized the “Find a Doctor” function, the search input and resulting data like location, name and type of plan, name and type of provider could likewise have been exposed.
Blue Shield of California stressed that threat actors did not access user data, and the data obtained from website visitors would just have been utilized for sending targeted ads. Blue Shield of California mentioned that the connections between Google Ads and Google Analytics
was ended in January 2024, and after that, there are no indications that more data was disclosed to Google Ads. When the problem was known, Blue Shield of California started a complete analysis of its websites and safety practices to ensure that third-party tracking codes are not sharing users’ information. Given that the usage of PHI for marketing with no permission is not allowable under HIPAA, the occurrence is considered a reportable data breach.