Blue Shield of California: Data of millions shared with Google

Blue Shield of California notified 4.7 million individuals of a data breach that stemmed from a configuration of Google Analytics that allowed it to share member data with Google Ads. This configuration could have enabled Google Ads to deliver ad campaigns back to the impacted members, Blue Shield stated.

As of May 2024, Blue Shield of California had approximately 4.8 million members, meaning the organization notified most of its members of the incident. Blue Shield said it notified all members who may have accessed their member information on the affected Blue Shield websites during the timeframe in question, from 2021 to 2024.

Blue Shield stated that it used Google Analytics to track website usage of its members in order to improve its services. As previously reported, analytics tools are widely used across healthcare websites and can help website operators track visitor activity and improve the effectiveness of their sites.

However, the use of these tools has also resulted in legal and compliance challenges for several healthcare organizations.

In the case of Blue Shield, the organization discovered in February 2025, Google Analytics was configured in such a way that it could have shared member data with Google Ads, including protected health information. The incident occurred between April 2021 and January 2024.

"Google may have used this data to conduct focused ad campaigns back to those individual members," Blue Shield stated.

"We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone."

The information that could have been impacted included gender, family size, insurance plan name, type and group number, zip code, patient names, Blue Shield assigned identifiers for online accounts, medical claim service date and provider and "Find a Doctor" results and search criteria.

Blue Shield said that it severed the connection between Google Analytics and Google Ads on its sites in January 2024.

"We have no reason to believe that any member data has been shared from Blue Shield's websites with Google after the connection was severed," the notice stated.

"Upon discovering the issue, Blue Shield immediately initiated a review of its websites and security protocols to ensure that no other analytics tracking software is impermissibly sharing members' protected health information."

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.