Blue Shield of California is notifying millions of patients after discovering that it shared sensitive health information with Google over several years. The health insurance provider said it used Google Analytics on its websites to monitor how users navigated its online services. However, a misconfiguration led to the unintentional transmission of personal and health-related data to the tech giant.
Although the data-sharing activity ended in January 2024, Blue Shield only became aware in February that the information collected included sensitive patient details.
According to a disclosure filed with the U.S. Department of Health and Human Services (HHS), 4.7 million individuals were affected. This number likely includes the majority of Blue Shield’s members, which totaled 4.5 million as of 2022.
Personal and Health Data Shared with Google
Blue Shield said the tracking tool collected more than just general website usage. It also captured search terms users entered to find healthcare providers, as well as their insurance plan names, types, and group numbers. Other data shared included patients’ cities, ZIP codes, genders, family sizes, and member account numbers.
The breach also exposed information related to specific healthcare services, such as claim service dates, service providers, and financial responsibility. In some cases, even patient names were shared with Google.
Blue Shield acknowledged that Google might have used the data for targeted advertising campaigns. However, the company has not confirmed whether it asked Google to delete the data. Neither Blue Shield nor Google responded to media requests for comment.
Part of a Larger Pattern in Healthcare
The incident reflects a broader issue in the healthcare industry regarding the use of online tracking technologies. These tools—usually small snippets of code embedded in websites or apps—are widely provided by major tech companies like Google, Microsoft, and Meta. While intended to improve user experience and advertising, they often collect more data than intended, raising serious privacy concerns.
In 2024, Kaiser Permanente faced a similar controversy. The company disclosed that tracking codes on its websites led to the exposure of personal health information of more than 13 million people to advertising platforms. Startups in the healthcare space, including Cerebral, Monument, and Tempest, have also admitted to past breaches involving trackers.
The Blue Shield incident is now considered the largest healthcare-related data breach reported so far in 2025, according to the HHS Office for Civil Rights.
What Happens Next
Blue Shield is in the process of sending notifications to affected individuals. The company has not specified what steps it is taking to ensure the removal of the collected data from Google’s systems. Nor has it offered details on future safeguards to prevent similar incidents.
The breach raises questions about how healthcare providers manage third-party technologies and protect user privacy online. It also highlights the tension between improving digital user experiences and complying with regulations designed to protect patient health information.
As more healthcare companies turn to analytics and ad tools to improve services, experts warn that such incidents could become more frequent unless stricter controls are put in place.
