Blue Shield of California has announced a data breach impacting approximately 4.7 million members. Between April 2021 and January 2024, a misconfiguration in the company’s use of Google Analytics led to the inadvertent sharing of protected health information (PHI) with Google Ads.
Details of the Breach
The breach was discovered on February 11, 2025, when Blue Shield identified that certain configurations allowed member data to be transmitted to Google Ads. The information potentially shared includes:
- Insurance plan names, types, and group numbers
- City and ZIP code
- Gender and family size
- Blue Shield-assigned online account identifiers
- Medical claim service dates and service providers
- Patient names and financial responsibility details
- “Find a Doctor” search criteria and results
Notably, Social Security numbers, driver’s license numbers, and banking or credit card information were not involved in this incident.
Company Response
Upon discovering the misconfiguration, Blue Shield severed the connection between Google Analytics and Google Ads in January 2024. The company has since initiated a comprehensive review of its website and security protocols to prevent future occurrences.
Blue Shield stated that there is no evidence suggesting that the data was used beyond targeted advertising or shared with unauthorized parties.
Member Guidance
Blue Shield advises affected members to remain vigilant by monitoring their account statements and credit reports for any unauthorized activity. Members should report any suspicious activity to the appropriate financial institutions and law enforcement agencies.
Comments (0)
Leave a comment