Blue Shield of California is notifying 4.7 million individuals of a data breach. The company confirmed it had been sharing patients’ private health information with Google since 2021. The data sharing stopped in January 2024, but it was only learned in February that the years-long collection contained patients’ personal and sensitive health information.
Blue Shield said it used Google Analytics to track how its customers used its websites, but a misconfiguration allowed for personal and health information to be collected as well. This included search terms used on its website, insurance plan names, types, and group numbers, as well as personal information such as patients’ city, zip code, gender, and family size. Details of Blue Shield-assigned member account numbers, claim service dates, service providers, patient names, and patients’ financial responsibility were also shared.
Data breach affects millions
Blue Shield of California is notifying 4.7 million individuals affected by the breach. The breach is thought to affect the majority of its customers; Blue Shield had 4.5 million members.
It’s not immediately clear if Blue Shield asked Google to delete the data, or if Google has complied. Mark Seelig, a spokesperson for Blue Shield, did not comment beyond the company’s statement. When reached for comment, a spokesperson for Google said, “businesses, not Google, manage the data they collect and must inform users about its collection and use,” but Google would not say if it would delete the collected data.
The breach at Blue Shield of California currently stands as the largest healthcare-related data breach of 2025 so far, per the U.S. health department’s Office of Civil Rights.
