Blue Shield of California Announces Impermissible Disclosure of PHI to Google Ads: 4.7 Million Affected
On April 9, 2025, the health insurance plan provider Blue Shield of California disclosed a web tracking-related privacy breach involving user data being shared with Google’s advertising product, Google Ads. The breach was recently reported to the HHS’ Office for Civil Rights (OCR) as affecting up to 4.7 million individuals, making it the second-largest healthcare data breach to be reported so far in 2024 behind the 5.5 million-record data breach at Yale New Haven Health System.
Blue Shield of California explained that, like many other health plans, Google Analytics was installed to track how visitors used certain Blue Shield websites. Google Analytics is extensively used by website owners to collect information about website visitors, such as how they arrive on a website and the web pages they visit. The information can be used to improve the website and user experience.
On February 11, 2025, Blue Shield of California learned that Google Analytics had been configured in a way that resulted in member data being shared with Google Ads for almost 3 years. Between April 2021 and January 2024, the misconfiguration potentially resulted in members’ protected health information being collected and used to serve them with personalized advertisements online through the Google Ads platform.
The types of data potentially disclosed and used for advertising purposes varied from individual to individual based on their usage of Blue Shield sites, and could have included patient names, insurance plan name, type and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, and patient financial responsibility. If website visitors used the “Find a Doctor” feature, then the search criteria and results (location, plan name and type, provider name and type) may also have been involved.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Blue Shield of California emphasized that no bad actors accessed user data, and the information collected from website visitors would only have been used for advertising purposes. Blue Shield of California explained that the connection between Google Analytics and Google Ads was severed in January 2024, and since then, there are no indications that any further information was shared with Google Ads. When the issue was identified, Blue Shield of California initiated a full review of its websites and security protocols to ensure that no other third-party tracking tools were impermissibly sharing users’ data. Since the use of protected health information for advertising purposes without consent is not permissible under HIPAA, the incident is a reportable data breach.
