Blue Shield of California shared private health data of 4.7 million members with Google without consent

midian182

Posts: 11,726   +177
Staff member
A hot potato: Health insurance provider Blue Shield of California is notifying customers that it had been sharing the private health information of up to 4.7 million members with Google's analytics and advertising platforms for three years without their knowledge or consent. A wide range of data was exposed, and it may have been used by Google for targeted ad purposes.

Blue Shield of California wrote on its website that it has begun notifying certain members of a potential data breach that may have included elements of their protected health information.

The issue stems from Blue Shield using Google Analytics to internally track website usage of members who entered certain Blue Shield sites.

On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, a misconfiguration of Google Analytics on certain Blue Shield sites allowed members' sensitive health data to be shared with Google Ads.

The shared data may have included insurance plan details, addresses, gender, family size, Blue Shield-assigned account identifiers, financial responsibility info, and search queries and results for the "Find a Doctor" tool (location, plan name and type, provider name and type).

The notice adds that Google may have used this data to carry out targeted ad campaigns against individual members. That's certainly unnerving when private, personal health details are being exploited.

Blue Shield says it ended its relationship with Google Analytics and Google Ads on its websites in January 2024.

Blue Shield writes that Social Security numbers, driver's license numbers, and banking or credit card information were not disclosed. However, it's recommended that members closely review their account statements and credit reports for anything suspicious. There are also recommendations to order a free credit report and place a fraud alert on it.

Companies tend to offer free identity fraud and theft protection in cases like these, but there's no mention of Blue Shield offering these services. The notice's "What we are doing" section simply states that Blue Shield "regrets" what happened; there's no actual apology.

Blue Shield isn't the first healthcare firm to make this mistake. As noted by TechCrunch, insurance giant Kaiser said it shared the data of 13 million patients with advertisers, including Google, Microsoft, and X, after embedding tracking code on its website. Cerebral, Monument, and Tempest also shared patients' personal and health information with advertisers.

Masthead: Steve Rhodes

Permalink to story:

 
Data was shared unknowingly for all those years, right!! The biggest load of the foulest smelling, steaming hot bull muffins ever to be offered up!! Oh golly, we had no idea those millions came from Google Ads. We have so many millions pouring in, it is all but impossible to account for each. But do not fret, our CEO and Board Members are always willing to assume the heavy burden of giving these surplus funds a safe home, until their families can be located.
 
There's a solution to this - just block ads & trackers. And, of course, don't even think of using Chrome.

I just checked - EasyList, maybe the most popular ad-blocking list, has 525 occurrences of the string 'google'. Additionally, the EasyPrivacy list has 140+.

Google is a virus. Protecting yourself from it is your responsibility.
 
What I find most disturbing about this story is simply looking at the wording on the build in the first image "Blue Cross of California" - why in the world is there hair growing off all the letters/symbols? WTF?

As for the data - they got paid big bucks for it or at least some one or some people did. It happens all the time. We all know it does, yet nothing gets done about it.

Just be sure to find out how much they were paid or profited off it and make the fine 100x that on the thieving party or both parties if they were in on it. Once these companies actually get punished for this kind of activity, not just some pathetic little slap on the wrist, they will start to step in line (or do a whole helluva lot better hiding these illegal deals).
 
In 3...2...2... "If you or a love one had your personal data leaked by Blue Shield California,
YOU may be entitle to substantial financial compensation. Contact the law firm of
Dewey, Cheatem & Howe".
 
Something people may not be aware of, but Larry Elisson’s Oracle purchased the largest electronic medical records company just a few years ago. I wonder why he needed it…now the face of Project Stargate to get another mRNA shot into you under the guise of a “cancer cure”
 
5 years prison for CEO, 1 year for the rest of the board and then start on Google for knowingly using private data that they had no right to use. Pinchai needs to also go to jail.
 
What I find most disturbing about this story is simply looking at the wording on the build in the first image "Blue Cross of California" - why in the world is there hair growing off all the letters/symbols? WTF?

As for the data - they got paid big bucks for it or at least some one or some people did. It happens all the time. We all know it does, yet nothing gets done about it.

Just be sure to find out how much they were paid or profited off it and make the fine 100x that on the thieving party or both parties if they were in on it. Once these companies actually get punished for this kind of activity, not just some pathetic little slap on the wrist, they will start to step in line (or do a whole helluva lot better hiding these illegal deals).
Those are spikes to keep the birds from nesting on the sign.
 
Back