Data breach lasted for years and took a long time to discover
Key takeaways:
- Blue Shield of California had a long-lasting data breach that potentially exposedthe health information of4.7 million people.
- Health and identifying information accidentally leaked to Google Ads, making it available for online advertising.
- Similar breaches are likely to happen in the future at other companies.
A data breach at Blue Shield of California exposed millions of customer's data to Google for years.
The Blue Shield data breach affects around 4.7 million customers, according to an April 9 filing with the Department of Health and Human Services.In a letter to victims, Blue Shield of California said the following information may have been exposed:
- Insurance plan name
- Insurance type and group number
- City
- Zip code
- Gender
- Family size
- Blue Shield identifiers foronline account
- Medical claim service date andservice provider
- Patient name
- Patient financial responsibility
- Find a Doctor search criteria and results
The Blue Shield data breach stems from a misconfiguration of Google Analytics, which health providers use to track website usage of members, that shared customerdata with Google Ads for online advertising campaigns, the health insurance company said.
Blue Shield said it discovered in mid-February the data breach went onfor years, lastingbetween April 2021 and January 2024.
Focused ad campaigns
"Google may have used this data to conduct focused ad campaigns back to those individual members," Blue Shield said."We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone."
After the discovery, Blue Shield said it "severed" the connection between Google Analytics and Google Ads on its websites.
Google didn't immediately respond to ConsumerAffairs's request for comment.
Google has created highly sophisticated models to harvest the behavior of people online, making these breaches possible at companies that aren't safely using the services toguardtheir customers' data,saidJim Routh, chief trust officer at cybersecurity company Saviynt, to ConsumerAffairs.
"The industry is likely to see similar types of data breaches going forward," he said.
Blue Shield didn't offer any identity theft monitoring to victims, but recommended that people get a copy of their credit report and set up fraud alerts with the three major credit bureaus.
Sign up below for The Daily Consumer, our newsletter on the latest consumer news, including recalls, scams, lawsuits and more.
Posted: 2025-04-24 01:35:16