Health insurance giant Blue Shield of California is notifying millions of people of a data breach. The company confirmed on Wednesday that it had been sharing patients’ private health information with tech and advertising giant Google since 2021.
The insurer said that the data sharing stopped in January 2024, but it only learned this February that the years-long collection contained patients’ personal and sensitive health information.
Blue Shield said it used Google Analytics to track how its customers used its websites, but a misconfiguration had allowed for personal and health information to be collected as well, such as the search terms that patients used on its website to find healthcare providers.
The insurance giant said Google “may have used this data to conduct focused ad campaigns back to those individual members.”
Blue Shield said the collected data also included insurance plan names, types and group numbers, along with personal information such as patients’ city, zip code, gender and family size. Details of Blue Shield-assigned member account numbers, claim service dates and service providers, patient names and patients’ financial responsibility were also shared.
Per a legally required disclosure with the U.S. government’s health department, Blue Shield of California said it is notifying 4.7 million individuals affected by the breach. The breach is thought to affect the majority of its customers; Blue Shield had 4.5 million members as of 2022.
It’s not immediately clear if Blue Shield asked Google to delete the data, or if Google has complied. Spokespeople for Blue Shield and Google did not immediately respond to requests for comment.
Blue Shield is the latest healthcare company to be caught out by the use of online tracking technologies. Online trackers are small snippets of code, often provided by tech giants, designed to collect information about a customers’ browsing activity by being embedded in mobile apps and websites. Tech and social media companies are usually the sources of these trackers, as they rely on the data for advertising and to drive the majority of their revenues.
Last year, U.S. health insurance giant Kaiser notified more than 13 million people that it had been sharing patients’ data with advertisers including Google, Microsoft and X, after embedding tracking code on its website.
Several other emerging healthcare companies, including mental health startup Cerebral and alcohol recovery startups Monument and Tempest, have disclosed past breaches involving the sharing of patients’ personal and health information with advertising firms.
The breach at Blue Shield of California currently stands as the largest healthcare-related data breach of 2025 so far, per the U.S. health department’s Office of Civil Rights.