Blue Shield of California Data Breach: Millions Exposed to Google

Blue Shield of California Data Breach Affects Millions

Blue Shield of California, a major health insurance provider, has announced a significant data breach impacting millions of individuals. The company confirmed on Wednesday that the unauthorized sharing of private patient health information with Google occurred over a period spanning from 2021.

Details of the Data Sharing

The insurer stated that the data transmission ceased in January 2024. However, the realization that years of collected data contained personal and sensitive health details was only achieved this February.

Google Analytics was utilized by Blue Shield to monitor customer website usage. A configuration error, however, resulted in the unintended collection of personally identifiable and health-related data.

Specific Data Compromised

This included search queries entered by patients while seeking healthcare providers on the Blue Shield website. The insurance company indicated that Google “may have leveraged this data to deliver targeted advertising campaigns to those specific members.”

Furthermore, the data shared encompassed insurance plan specifics – names, types, and group numbers – alongside personal details like patients’ city, zip code, gender, and family size.

Sensitive information such as Blue Shield member account numbers, claim dates, service providers, patient names, and individual financial responsibilities were also included in the shared data.

Breach Notification and Affected Individuals

According to a mandatory disclosure to the U.S. Department of Health and Human Services, Blue Shield of California is notifying approximately 4.7 million individuals affected by this breach.

The scope of the breach is believed to encompass the majority of Blue Shield’s customer base, which numbered 4.5 million members as of 2022.

Responses from Blue Shield and Google

The question of whether Blue Shield requested data deletion from Google, or if Google has complied with such a request, remains unanswered.

Mark Seelig, a Blue Shield spokesperson, offered no additional comments beyond the company’s official statement.

Jacel Booth, a Google spokesperson, responded to TechCrunch by stating that “businesses, and not Google, are responsible for managing the data they collect and informing users about its collection and use.” Google did not confirm whether it would delete the collected data.

Wider Trend of Healthcare Data Breaches

Blue Shield is not alone in facing scrutiny over the use of online tracking technologies. These trackers, often supplied by large tech companies, are embedded in websites and mobile applications to gather customer browsing information.

These technologies are primarily utilized by tech and social media companies for advertising purposes and revenue generation.

Last year, Kaiser Permanente, another major U.S. health insurer, disclosed that it had shared patient data with advertisers, including Google, Microsoft, and X, through embedded tracking code on its website.

Several other healthcare startups, such as Cerebral, Monument, and Tempest, have also reported past breaches involving the sharing of patient information with advertising firms.

Largest Healthcare Breach of 2025

Currently, the data breach at Blue Shield of California represents the largest healthcare-related data breach reported to the U.S. Department of Health and Human Services’ Office of Civil Rights in 2025.

This article has been updated to include statements from both Google and Blue Shield.