A major data breach at health insurance giant Blue Shield of California appears to be a case of misconfiguring advertising analytics tools. Between April 2021 and January 2024, Google Analytics was misconfigured on some of the insurer’s websites causing some personal information and potentially sensitive health data related to claims and searches to be available to Google’s ad network.
The incident appears to have likely impacted those who checked on claim status or ran a “Find a Doctor” search while logged in to their Blue Shield accounts during the breach window. The incident did not include financial information or Social Security numbers, but Blue Shield is advising customers to monitor accounts for potential suspicious activity.
Health insurance information may have leaked to Google Ad partners
In total, 4.7 million customers are thought to be impacted by the breach during its nearly three-year window. That’s the majority of the health insurance giant’s California customer base, which numbers about six million across the state. The company has posted a public breach notification on its website, as has the US Department of Health and Human Services (DHSS). The incident does not appear to impact the health data of Blue Shield members in states other than California.
The notification indicates that the company is not able to identify if a particular member’s health data was exposed, and thus presumably individual breach notifications will not be going out. Though this is not necessarily the limit of impact to customers, the best indication thus far is that customers who logged into their accounts during the breach window to either use the web tools to check on health insurance claims or to conduct a search for a doctor may have had some of that information exposed along with an assortment of basic personal information. However, the breach notification indicates that only “some” of the company’s public websites were impacted.
Google Analytics generally does not share identifiable personal information with the websites running it, anonymizing the activities of individual users to show only what they interacted with, how long they spent on various aspects and what their country of origin is. However, the health insurance firm says that the misconfiguration was in its linking of Analytics to Google Ads, the search giant’s third-party ad network that serves targeted advertising information to third-party bidders. While the Analytics code embedded on Blue Shield sites would generally present no privacy risk outside of possible combination with other internal Google information sources, some of that profile information may have been made available to Google or its advertising partners due to the oversight.
The personal information that was exposed is fairly basic: names, city and zip code of residence, gender, and family size. The health plan information consists of items that could be of interest to scammers, however: plan types and details, internal identification numbers for individual member online accounts, and medical claim service dates and provider names. “Find a Doctor” search criteria and results (location, plan name and type, provider name and type) may have also been exposed.
Health data security issues continue for Blue Shield
While the exposed health data did not include patient records, a third party could infer sensitive things based on some of what was included. For example, individuals that searched for specialist doctors may have inadvertently exposed a condition or a pregnancy.
Blue Shield of California experienced a major data breach less than a year ago, though the compromised party was a third-party contractor. Young Consulting, a group specializing in employer stop-loss insurance services, was hacked by a ransomware gang in August 2024 and over 954,000 records were stolen (though that total includes clients other than Blue Shield). Blue Shield members who were impacted did receive individual data breach notices in the wake of that incident. Exposed health insurance information included the Social Security numbers and dates of birth of customers as well as a broader range of identification and family information for Young Consulting company employees.
Blue Shield of California is not alone among major health insurance and patient care outfits both in being targeted by criminals and having accidents with its own internal stores of health data. Something very similar happened to Kaiser Permanente last year, a combination of insurer and direct care provider with access to a greater range of health data than Blue Shield. Kaiser had a similar adware misconfiguration that sent potentially sensitive data not just into the Google ecosystem, but also into Microsoft and X’s ad networks as well. Some 13 million people were impacted by that breach. And in 2022, Advocate Aurora Health (a regional provider primarily working in Illinois and Wisconsin) had an errant tracking pixel provide patient health data to Google and Facebook’s ad networks.
It is still not entirely clear exactly how much health insurance information the average person had exposed by this incident, but Ensar Seker (CISO at SOCRadar): believes that it will turn out to be enough to get the company into some serious regulatory trouble: “In this case, the unintentional exposure of protected health information (PHI) from 4.7 million members to Google’s analytics and advertising platforms raises serious questions about how healthcare providers manage third-party tracking technologies. This isn’t just a technical misstep. It’s a HIPAA compliance failure. PHI should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements (BAAs) in place. When you consider the type of data potentially exposed (names, IP addresses, search terms, and in some cases sensitive health-related activity) the privacy implications are significant. Such data can be used to infer medical conditions, insurance status, or treatment history, and that creates a risk not just of identity theft, but of discrimination, stigma, and profiling. What’s particularly troubling is the duration of exposure. nearly three years before it was identified and addressed. That suggests a systemic gap in data flow visibility, audit logging, and vendor oversight. Many healthcare organizations unknowingly introduce risk through website trackers, pixel tags, and marketing scripts. tools that are standard in e-commerce, but dangerously misapplied in regulated environments like healthcare.”
And though highly sensitive personal information does not appear to have been included, Paul Bischoff (Consumer Privacy Advocate at Comparitech) advises victims to be wary of scam and fraud attempts: “Victims should be on the lookout for insurance fraud. Check your hospital bills and prescriptions for any unfamiliar charges that could indicate someone else is using your insurance to get drugs or other care in your name.”
Jim Routh, Chief Trust Officer at Saviynt, adds that this scenario may well play out again before long: “The industry is likely to see similar types of data breaches going forward. Google has invested in and implemented highly sophisticated data models (Google Analytics) to harvest user online behavioral information (what products are consumed) along with individual attributes, which is then packaged for advertising platforms. The settings for Google Analytics and similar platforms need to be configured and reviewed by the healthcare insurance provider (Blue Shield of California) and other enterprises sharing consumer information.”
David Stuart, cybersecurity evangelist for Sentra, adds: “This incident underscores a growing blind spot in enterprise data governance: third-party tracking and analytics tools. As organizations move quickly to adopt AI and personalize digital experiences, it’s easy to overlook how data flows between systems — and who or what can access it. What’s especially concerning is how long it can take to detect these types of exposures, since they often don’t trigger traditional breach detection tools. Enterprises need continuous visibility into where their sensitive data is being accessed and by whom or what, including across marketing and analytics platforms, to avoid these silent risks.”
