Security

California's Blue Shield Accidentally Shared 4.7 Million Customers’ Health Data with Google

by VARINDIA 2025-04-29

A configuration error in Google Analytics allowed sensitive member data to spill to Google Ads, potentially exposing customer data for almost three years.

Blue Shield of California, a major U.S. health insurer, accidentally shared personal data of 4.7 million members with Google due to a Google Analytics misconfiguration. The data was unintentionally sent to Google Ads, and may have been used to show targeted advertisements.

Between April 2021 and January 2024, Blue Shield used Google Analytics to understand how users interacted with its website. But a settings error allowed sensitive health-related information—such as health plan type, gender, city, family size, account IDs, and even search queries for doctors—to be exposed.

Blue Shield stated, “Google may have used this data to show targeted ad campaigns to individual members.” But it also said that there was no leak of other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information.

Blue Shield confirmed that Social Security numbers, driver’s license numbers, and financial details were not shared. Still, the leak potentially revealed personal health concerns of many users. After discovering the leak, Blue Shield said it reviewed all its websites to ensure no other tracking software was sharing protected health information with third parties.

Blue Shield has now reviewed all its websites to prevent future leaks and is contacting affected members. This case shows how small tech errors can lead to major privacy issues, especially in healthcare, where data sensitivity is high.