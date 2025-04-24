





Healthcare insurer Blue Shield of California has notified 4.7 million individuals of a potential data breach after unknowingly sharing patients’ protected health information with Google since 2021. “On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information,” Blue Shield said in its notice. “Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone.” Blue Shield used Google Analytics to track members’ use of certain Blue Shield websites. It said it “severed the connection” to Google Ads and Google Analytics in January 2024, a year before it learned of the years-long data collection. The health insurer said the information that may have been impacted includes one’s insurance plan name, type and group number, as well as personal details like patient name, gender, location, family size and patient financial responsibility. Blue Shield-generated unique IDs for members’ online accounts, information related to medical claim service dates and providers, and search inputs and outcomes from the “Find a Doctor” feature were also shared. The health insurer said Social Security numbers, driver’s license numbers, and banking or credit card information were not disclosed. Blue Shield filed a legally required disclosure with the U.S. Department of Health and Human Services on April 9, stating that 4.7 million individuals were affected by the breach. As of last year, the company reported having 4.8 million members. THE LARGER TREND Verizon released its 2025 Data Breach Investigations Report this week, which revealed that healthcare remains a favorite target of attackers. Another company that experienced a data breach is multinational computer technology company Oracle, which has experienced two separate data breaches in recent months, one affecting Oracle Health customers and another said to have resulted from an exploit targeting Oracle Cloud login servers. Last month, Yale New Haven reported a cybersecurity incident in which threat actors stole personal data of 5.5 million patients. The cyberattack caused IT system disruptions but did not affect patient care. In 2024, Change Healthcare, a software and data analytics vendor that offers revenue cycle management, clinical decision support and other operations tools, announced it took its systems offline due to a cyberattack. The company, which handles claims for hundreds of thousands of physicians, pharmacies and other providers and processes numbering around 15 billion transactions annually, was struck by BlackCat ransomware, leaving its operations essentially debilitated.