Blue Shield’s advertising integration exposes data on 4.7M members to Google
Cookies from Google Analytics led to 4.7 million Blue Shield of California members having their data exposed to the tech giant, according to the federal government’s healthcare data breach tracker. The insurer said it was contracting with Google to improve its service offerings by analyzing activity on its website—a connection it has since "severed."
According to a notice from the insurer, data was exposed through the integration between April 2021 and January 2024, with Blue Shield becoming aware of the issue in February 2025, long after it was fixed. It said the connection to Google Ads and Google Analytics ended in early 2024.
However, various personal details from users of the website—including patients who use Blue Shield—was taken, some of which is protected health information under the Health Insurance Portability and Accountability Act (HIPAA). The insurer said it cannot be sure exactly whose data was shared with Google due to the “the complexity and scope of the disclosures,” and instead “out of an abundance of caution” opted to send a notice to all individuals who were members during the time Google was deployed.
Personal information known to have been shared with Google includes member names, provider names, health plan details, location data, and personal demographic information from users, including gender and family size.
Information inputted into the website’s “Find a Doctor” tool, including search results, was also shared, Blue Shield confirmed. However, the company maintains that social security numbers, driver’s license numbers, and financial information were never exposed.
“Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” Blue Shield said in its breach notice.
“We have no reason to believe that any member data has been shared from Blue Shield’s websites with Google after the connection was severed,” the company added.
Blue Shield stated it has no evidence any of the data has been used for nefarious purposes. However, it is asking members to monitor billing records and credit reports for any sign of identity theft. If any suspicious activity is found, the company advised members to report it to their financial institutions immediately.
At 4.7 million victims, the breach is officially the second largest of 2025, falling just behind the recent cyberattack on Yale New Haven Health, which impacted 5.6 million people. That incident appears to have been a more traditional data breach, where criminals gained access to the hospital network, stealing patient records in the process.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.