HQ/EMEAFind out how we can help your business
Blue Shield of California confirmed a data breach that exposed the protected health information of 4.7 million individuals via Google’s analytics and advertising platforms.
Serving nearly 6 million members throughout the state, the organisation posted the data breach notification on its website, indicating that the exposure occurred between April 2021 and January last year.
The United States Department of Health and Human Services updated its breach portal earlier this week. The portal confirmed that this leak impacted the protected health data of the 4.7 million members.
The incident was attributed to a misconfiguration of Google Analytics on specific Blue Shield websites, which resulted in sensitive information possibly being shared with Google advertising platforms and advertisers.
According to the notification, on February 11, 2025, Blue Shield reported that Google Analytics was incorrectly configured between April 2021 and January 2024, resulting in the potential sharing of specific member data with Google’s advertising platform, Google Ads, which likely included protected health information.
The post also stated that Google may have utilised this data for targeted ad campaigns directed back to those members.
Compromised Blue Shield of California data includes various types.
The Blue Shield of California data breach compromised various types of information, such as insurance plan name, type and group number, city and zip code, gender, family size, and Blue Shield-assigned identifiers for members’ online accounts.
Additionally, the exposed data included critical information such as medical claim service dates, service providers, patient names, and financial responsibilities. The “Find a Doctor” search criteria and results containing data like location, plan name and type, and provider name and type were also compromised.
Still, Blue Shield clarified that this breach did not affect other personal details, such as Social Security numbers, driver’s license numbers, and banking or credit card information.
However, members must remain vigilant and closely monitor their account statements and credit reports for unauthorised or suspicious activities.
The organisation has yet to provide identity theft protection services, and it is uncertain whether individual notifications will be issued to affected members moving forward. This issue marks the second major IT incident Blue Shield of California has reported in under a year.
