LOS ANGELES, CA - MARCH 31: General view of an advertisement billboard for Blue Shield of California during a regular season game between the Arizona Diamondbacks and Los Angeles Dodgers on March 31, 2023, at Dodger Stadium in Los Angeles, CA. (Photo by Brandon Sloter/Icon Sportswire via Getty Images)
Los Angeles, California – Blue Shield of California is facing severe backlash after revealing a data breach that exposed sensitive patient information to tech and advertising giant Google. The insurance company confirmed on Wednesday that millions of its customers’ personal and health data was shared with Google Analytics between 2021 and January 2024, unbeknownst to both the insurer and its customers.
The breach affects an estimated 4.7 million individuals, nearly the entirety of Blue Shield’s 4.5 million members as of 2022. The company disclosed the breach to the U.S. Department of Health and Human Services, triggering a legally required notification to those affected. The breach is now considered one of the largest healthcare-related data breaches of 2025.
Blue Shield explained that the sharing of sensitive data stemmed from a misconfiguration in its use of Google Analytics, a tool used to track user interactions with websites. While the company initially intended to track website usage for operational purposes, the misconfiguration led to the unintended collection of highly sensitive health information. This included patients’ search terms for healthcare providers, insurance plan details, personal information such as gender, zip code, and family size, as well as claims-related data including patient names, service dates, and financial responsibilities.
Critically, Blue Shield noted that this data may have been used by Google to target personalized advertisements at affected individuals, a practice that raises concerns about the privacy of sensitive health information.
Though Blue Shield ceased sharing data with Google in January 2024, the company only became aware of the extent of the breach in February of this year. The insurer has not confirmed whether it has requested Google to delete the improperly collected data, nor has Google commented on whether it has complied with any such requests.
This incident adds to a growing list of healthcare-related breaches involving online tracking technologies. Last year, Kaiser Permanente disclosed a similar breach affecting over 13 million people, revealing that it had shared patient data with advertisers like Google, Microsoft, and X. Other startups in the healthcare industry, including Cerebral, Monument, and Tempest, have also faced scrutiny for sharing personal and health data with advertising firms.
The breach at Blue Shield of California highlights an ongoing issue in the healthcare industry, where tech companies, reliant on tracking data for advertising, are increasingly embedded in the digital infrastructure of health insurers. Experts warn that this trend threatens the privacy of individuals’ most sensitive health information, often without their knowledge or consent.
