Blue Shield of California notifies members of potential data breach through Google Analytics
Learn More
Blue Shield of California is reporting a potential data breach that may have exposed elements of their protected health information. The incident stems from a misconfiguration of Google Analytics on the insurer's websites between April 2021 and January 2024.
Blue Shield discovered on February 11, 2025, that Google Analytics had been configured in a way that allowed certain member data to be shared with Google's advertising product, Google Ads. This configuration likely resulted in protected health information being shared without proper authorization.
The information that may have been exposed includes:
- Insurance plan name, type, and group number
- City and zip code
- Gender
- Family size
- Blue Shield assigned identifiers for members' online accounts
- Medical claim service date and service provider
- Patient name
- Patient financial responsibility
- "Find a Doctor" search criteria and results (location, plan name and type, provider name and type)
The incident appears to have impacted 4.7 million people.
Blue Shield emphasizes that no malicious actors were involved in this incident. Due to the complexity and scope of the disclosures, the health insurer is unable to confirm whether any particular member's specific information was affected.
As a precautionary measure, Blue Shield is providing notice to all members who may have accessed their member information on the potentially impacted Blue Shield websites during the relevant time period.
Blue Shield states that it severed the connection between Google Analytics and Google Ads on its websites in January 2024, prior to discovering the issue. The company has no reason to believe that any member data has been shared from Blue Shield's websites with Google after the connection was terminated.
For additional questions, members can contact Blue Shield toll-free at 1-833-918-5064, Monday through Friday, between 6am and 6pm Pacific Standard Time.
