California health insurance giant Blue Shield has notified millions of people of data breach. The company confirmed Wednesday that it had been sharing patient private health information with Tech and advertising giant Google since 2021.
The insurance company said data sharing was suspended in January 2024, but in February this year they learned that long-standing collections contain patient personal and sensitive health information.
Blue Shield used Google Analytics to track how customers used the website, but misconceptions also allowed them to collect personal and health information, such as the search terms that patients used to find health care providers on their websites.
The insurance giant said Google “may have used this data to run an ad campaign focused on these individual members.”
According to Blue Shield, the data collected includes personal information such as patient city, zip code, gender and family size, as well as insurance plan name, type and group number. Details of the member account number assigned to Blue Shield, billing service date and service provider, patient name and patient financial liability were also shared.
In accordance with legally necessary disclosures with the US government's health department, California Blue Shield said it has notified 4.7 million people affected by the violation. This violation is believed to affect the majority of customers. Blue Shield had 4.5 million members as of 2022.
It's not immediately clear whether Blue Shield asked Google to delete the data or whether Google is complying with it. Blue Shield and Google spokesmas did not immediately respond to requests for comment.
Blue Shield is the latest medical company to be kicked out by the use of online tracking technology. Online trackers are small snippets of code that Tech Giants often provide, built into mobile apps and websites, designed to collect information about customer browsing activities. Tech and social media companies are usually the sources of these trackers, relying on advertising data and driving a large portion of their revenue.
Last year, U.S. health insurance giant Kaiser notified more than 13 million people that they had shared patient data with advertisers, including Google, Microsoft and X, after embedding tracking codes on their websites.
Several other emerging healthcare companies, including the Mental Health Startup Brain and Alcohol Recovery Startup Monuments and Tempest, have revealed past violations, including sharing patient personal information and health information with advertising companies.
The California Blue Shield violation now exists as the biggest healthcare-related data breaches of 2025 so far, according to the U.S. Health Service's Civil Rights Office.