Blue Shield of California disclosed it suffered a data breach after exposing protected health information of 4.7 million members to Google’s analytics and advertisement platforms.
The nonprofit health plan, which serves nearly 6 million members across California, published a data breach notification on its website stating that member data was exposed between April 2021 and January 2024.
Today, the United States Department of Health and Human Services breach portal was updated to state that the leak exposed 4.7 million members’ protected health data.
According to the notice, the exposure was caused by a misconfiguration of Google Analytics on certain Blue Shield sites. This resulted in the sensitive data potentially being shared with Google advertising platforms and advertisers.
“On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information,” reads the notice.
“Google may have used this data to conduct focused ad campaigns back to those individual members.”
The data types exposed as a result of the misconfiguration include:
- Insurance plan name
- Type and group number
- City and zip code
- Gender
- Family size
- Blue Shield assigned identifiers for members’ online accounts
- medical claim service date and service provider, patient name, and patient financial responsibility
- “Find a Doctor” search criteria and results (location, plan name and type, provider name and type)
Blue Shield noted that other personal information, such as Social Security numbers, driver’s license numbers, banking, and credit card information, were not exposed as a result of this incident.
Still, it is recommended that members stay vigilant and closely monitor their account statements and credit reports to identify unauthorized/suspicious activity.
The organization has not offered identity theft protection services, and it’s unclear whether individual notices will be sent to impacted members in the future.
This is the second large-scale IT incident disclosed by Blue Shield of California in under a year.
Last year, nearly one million health plan members had their data stolen by BlackSuit ransomware actors who breached the organization’s software solutions provider, Connexure (formerly Young Consulting).
