On April 9, 2025, the medical insurance plan company Blue Shield of California reported a privacy breach due to web tracking codes sharing user data with Google’s advertising solution, Google Ads.
Blue Shield of California mentioned that, like other health plan providers, it installed Google Analytics on its website to monitor the way visitors interacted with selected Blue Shield websites. Website owners extensively use Google Analytics to gather data regarding website visitors, for instance, how they find the website and what web pages they access. The data could be used to enhance user experience on the website.
On February 11, 2025, Blue Shield of California found out that Google Analytics was set up in a way that led to the disclosure of member information to Google Ads for nearly 3 years. From April 2021 to January 2024, the wrong configuration possibly led to the collection of members’ protected health information (PHI), which is used to show personalized ads to the members online via the Google Ads program.
The types of information possibly disclosed and utilized for marketing purposes differed from one person to another, depending on what areas of the Blue Shield site they use. The following information could have been compromised: patient names, name of insurance plan, type and group number, gender, family size, city, zip code, Blue Shield assigned ID for members’ web-based accounts, medical claim service date and provider, and patient financial accountability. When website visitors use the “Find a Doctor” function, obtained data may include the search criteria and results, such as area, name and type of plan, and name and type of provider.
Blue Shield of California pointed out that threat actors did not access user information, and the data obtained from website visitors were likely only used in marketing. Blue Shield of California revealed that the relationship between Google Ads and Google Analytics was cut in January 2024. After that, there are no indications that information was disclosed to Google Ads. As soon as the problem was discovered, Blue Shield of California started a complete analysis of its websites and safety practices to make certain that third-party tracking tools do not impermissibly disclose users’ information.
Because using protected health information (PHI) for promotions without authorization is not allowable under HIPAA laws, the incident at Blue Shield of California is a reportable data breach. Currently, the Department of Health and Human Services’ Office for Civil Rights breach portal does not show the incident. Because of the long time the interconnection with Google Ads was activated, it is probable that this data breach will impact a sizeable number of Blue Shield of California members.
Image credit: everythingpossible, AdobeStock
