Blue Shield of California, a U.S. health
insurance company, leaked sensitive health information to Google that belong to as many as 4.7 million members.
The data shared may have included medical claim dates and
providers such as appointments with specific doctors for ailments ranging from cardiologists or oncologists, Blue Shield shared in a blog post.
Patient names, insurance plan details, city of residence and zip code, gender, family size, and Blue
Shield-assigned account identifiers, as well as those responsible for payments were also included. Search queries and results for the "Find a Doctor" tool locator, plan type, and provider details also
could have been shared.
The company began notifying members earlier this month after noticing in February that Google Analytics had been configured in a way that allowed certain member data to
be shared with Google’s advertising product, Google Ads.
advertisement
advertisement
The breach occurred between April 2021 and January 2024, and it likely included protected health information.
Google also
may have used this data to conduct focused ad campaigns back to those individual members, the company said.
Despite all these details, Blue Shield is unable to confirm if any particular
member’s information was affected, as a result of the complexity and scope of the disclosures.
“Like other health plans, Blue Shield historically used the third-party vendor
service, Google Analytics, to internally track website usage of members who entered certain Blue Shield sites,” the company wrote in the post.
Blue Shield stopped using
Google Analytics and Google Ads on its websites in January 2024, and initiated a review of its websites and security protocols to ensure that no other analytics tracking software and
information could be found.
The company said there is no evidence of any leaks for other types of personal information, such as Social Security numbers, driver’s license numbers, or
banking or credit card information.