Blue Shield data breach exposed 4.7 million Californians' information to Google Ads

Key takeaways:

• Blue Shield of California had a long-lasting data breach that potentially exposed the health information of 4.7 million people.
• Health and identifying information accidentally leaked to Google Ads, making it available for online advertising.
• Similar breaches are likely to happen in the future at other companies.

A data breach at Blue Shield of California exposed millions of customer's data to Google for years.

The Blue Shield data breach affects around 4.7 million customers, according to an April 9 filing with the Department of Health and Human Services. In a letter to victims, Blue Shield of California said the following information may have been exposed:

• Insurance plan name
• Insurance type and group number
• City
• Zip code
• Gender
• Family size
• Blue Shield identifiers for online account
• Medical claim service date and service provider
• Patient name
• Patient financial responsibility
• “Find a Doctor” search criteria and results

The Blue Shield data breach stems from a misconfiguration of Google Analytics, which health providers use to track website usage of members, that shared customer data with Google Ads for online advertising campaigns, the health insurance company said.

Blue Shield said it discovered in mid-February the data breach went on for years, lasting between April 2021 and January 2024.

Focused ad campaigns

"Google may have used this data to conduct focused ad campaigns back to those individual members," Blue Shield said. "We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone."

After the discovery, Blue Shield said it "severed" the connection between Google Analytics and Google Ads on its websites.

A Google spokesperson told ConsumerAffairs: “Businesses, not Google, manage the data they collect and must inform users about its collection and use."

Google has policies against collecting private health information or advertising based on sensitive information, the spokesperson added.

But the advertising and search giant has created highly sophisticated models to harvest the behavior of people online, making these breaches possible at companies that aren't safely using the services to guard their customers' data, said Jim Routh, chief trust officer at cybersecurity company Saviynt, to ConsumerAffairs.

"The industry is likely to see similar types of data breaches going forward," he said.

Blue Shield didn't offer any complimentary identity theft monitoring to victims, which companies typically offer in their apology, but recommended that people get a copy of their credit report and set up fraud alerts with the three major credit bureaus.