Blue Shield Leaked Health Info of 4.7M patients with Google Ads
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Blue Shield of California has disclosed a significant data breach affecting 4.7 million members, representing the majority of its nearly 6 million customers.\u00a0<\/p>\n
The health insurance provider revealed that protected health information (PHI) was inadvertently shared with Google\u2019s advertising platforms over a nearly three-year period due to a misconfiguration of Google Analytics on the company\u2019s websites.<\/p>\n
This breach, spanning from April 2021 to January 2024, is among the largest healthcare data incidents of 2025.<\/p>\n
The company discovered<\/a> the privacy violation on February 11, 2025, when an internal review identified that Google Analytics had been improperly configured to share sensitive member data with Google Ads, potentially enabling targeted advertising campaigns directed at affected individuals.<\/p>\n \u201cOn February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google\u2019s advertising product, Google Ads, that likely included protected health information,\u201d the company stated in its notification.<\/p>\n The data potentially exposed includes:<\/p>\n Blue Shield emphasized that no Social Security numbers, driver\u2019s license numbers, or banking and credit card information were compromised in the breach.\u00a0<\/p>\n The company also stated that \u201cno bad actor was involved\u201d and that Google has not shared the protected information with other parties.<\/p>\n This incident raises serious concerns about HIPAA compliance in relation to online tracking technologies.<\/p>\n Under HIPAA regulations, health organizations must implement robust safeguards for PHI and secure Business Associate Agreements (BAAs) with vendors handling such data.\u00a0<\/p>\n Google explicitly states that Google Analytics is not HIPAA-compliant<\/a> and does not offer a BAA, making its use on pages handling PHI inherently risky.<\/p>\n Security experts attribute such breaches to technical misconfigurations and inadequate visibility into data collection practices.\u00a0<\/p>\n \u201cMany healthcare companies are caught unaware of potential data privacy problems because they either don\u2019t fully know what their analytics tools are collecting, or they don\u2019t know how to set up Google Analytics correctly,\u201d noted Ian Cohen, CEO of Lokker.<\/p>\n Blue Shield severed the connection between Google Analytics and Google Ads in January 2024 and has initiated a comprehensive review of its websites and security protocols.\u00a0<\/p>\n The company recommends that affected members remain vigilant by monitoring account statements and credit reports for suspicious activity.<\/p>\n This marks Blue Shield\u2019s second significant IT incident in under a year. In 2024, the BlackSuit ransomware<\/a> group stole nearly one million health plan members\u2019 data following an attack on Connexure, Blue Shield\u2019s software solutions provider.<\/p>\n According to the U.S. Department of Health\u2019s Office of Civil Rights, this breach is currently recognized as the most significant healthcare-related data breach of 2025.\u00a0<\/p>\n The post Blue Shield Leaked Health Info of 4.7M patients with Google Ads<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nBlue Shield Data Exposure<\/strong><\/h2>\n
\n
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!->\u00a0Get Your Free Copy<\/a><\/code><\/strong><\/p>\n