• by Laurie Sullivan  @lauriesullivan, Yesterday

Blue Shield of California, a U.S. health insurance company, leaked sensitive health information to Google that belong to as many as 4.7 million members.

The data shared may have included medical claim dates and providers such as appointments with specific doctors for ailments ranging from cardiologists or oncologists, Blue Shield shared in a blog post.

Patient names, insurance plan details, city of residence and zip code, gender, family size, and Blue Shield-assigned account identifiers, as well as those responsible for payments were also included. Search queries and results for the "Find a Doctor" tool locator, plan type, and provider details also could have been shared.

The company began notifying members earlier this month after noticing in February that Google Analytics had been configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads.

The breach occurred between April 2021 and January 2024, and it likely included protected health information.

Google also may have used this data to conduct focused ad campaigns back to those individual members, the company said.

Despite all these details, Blue Shield is unable to confirm if any particular member’s information was affected, as a result of the complexity and scope of the disclosures.

“Like other health plans, Blue Shield historically used the third-party vendor service, Google Analytics, to internally track website usage of members who entered certain Blue Shield sites,” the company wrote in the post.

Blue Shield stopped using Google Analytics and Google Ads on its websites in January 2024, and initiated a review of its websites and security protocols to ensure that no other analytics tracking software and information could be found.

The company said there is no evidence of any leaks for other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information.