Blue Shield of California has confirmed a significant data breach affecting approximately 4.7 million individuals after it was revealed that the company had been sharing patients’ personal health information with Google since 2021. The insurer announced on Wednesday that the data sharing ceased in January 2024, but it only became aware of the breach in February.
Details of the Data Breach
The breach occurred due to a misconfiguration in the use of Google Analytics, which was intended to track user engagement on Blue Shield’s websites. As a result, sensitive information—including search terms used by patients to locate healthcare providers—was inadvertently collected. The data shared included insurance plan details, personal identifiers like city, zip code, gender, and family size. It also encompassed patient names, account numbers, service dates, service providers, and financial obligations.
Legal Obligations and Notifications
According to a legally mandated disclosure to the U.S. Department of Health and Human Services, Blue Shield of California is notifying millions of affected individuals. With approximately 4.5 million members reported in 2022, this breach potentially impacts most of its customer base. It remains unclear if Blue Shield has requested Google to delete the collected data or if Google has complied with such a request.
Context Within the Healthcare Sector
This incident is part of a troubling trend within the healthcare sector, where online tracking technologies have been misused to collect sensitive patient information. Online trackers, often supplied by major tech firms, gather data on user activities across mobile apps and websites, primarily for advertising revenue. This is not an isolated case; last year, Kaiser Permanente notified over 13 million individuals about a similar data-sharing issue involving Google, Microsoft, and others.
Repercussions and Ongoing Concerns
Blue Shield of California’s breach currently stands as the largest healthcare-related data breach of 2025, as recognized by the U.S. Department of Health’s Office of Civil Rights. Other healthcare startups, like Cerebral and those in the alcohol recovery sector, have also reported breaches where patient data was improperly shared with advertisers. The growing scrutiny over data privacy in the healthcare industry underscores the importance of safeguarding sensitive information.