Blue Shield exposed 4.7M patients' health data to Google

That's clear from the growing number of healthcare data breaches we've seen recently. In most of those cases, a bad actor was involved. 

What I find extremely shocking is that it took the company three years to realize it was sharing its user data with Google to run ads. This says a lot about how much these healthcare giants care about protecting your data. 

The shared data included a broad array of protected health information (PHI), including names, zip codes, gender, medical claim dates, online account numbers, insurance plan names, group numbers, family data and even search criteria used in its "Find a Doctor" feature.

This incident is not isolated. Over the past few years, healthcare and tech companies have come under scrutiny for similar missteps. The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have already issued warnings about the use of tracking technologies in healthcare, especially those that might expose patient data to third parties without adequate transparency or safeguards.

A Google spokesperson provided the following comment to CyberGuy when asked about the Blue Shield data breach:

"Businesses, not Google, manage the data they collect and must inform users about its collection and use. By default, any data sent to Google Analytics for measurement does not identify individuals, and we have strict policies against collecting private health information (PHI) or advertising based on sensitive information."

Since the data was only shared with Google and not any other party, the overall risk is relatively low, apart from the clear privacy violation. It's highly unlikely that anyone else will gain access to it, so the chances of the data being misused are slim. Google says it doesn't allow ads to be served based on sensitive information like health, so there's a good chance your data wasn't even used for advertising.

Blue Shield's case follows a string of similar breaches. Companies like GoodRx, BetterHelp and Kaiser have all faced regulatory and legal consequences for sharing sensitive user data with advertising vendors. Some even settled for millions of dollars. Despite the risks, many healthcare organizations have continued using these tools due to the lack of clear regulatory guardrails, a situation complicated further by a federal court ruling that blocked the Biden administration's attempts to curb the use of online trackers in healthcare settings.

The Blue Shield of California incident is a reminder that even well-known healthcare providers can mishandle sensitive data. While you can't always control what happens behind the scenes, there are steps you can take to reduce your exposure and safeguard your privacy:

1. Limit what you share on health portals: Avoid entering more personal details than absolutely necessary on insurance or provider websites. Tools like "Find a Doctor" might log your search terms, so keep inputs vague when possible.

4. Opt out of tracking where possible: Many healthcare sites use cookies and tracking tools. Choose "reject all" or the strictest privacy settings in cookie banners. If a tracking opt-out tool is available, use it.

5. Read privacy policies (yes, really): Look for language like "third-party sharing," "advertising," or "analytics." If a healthcare provider mentions tools like Google Analytics or Meta Pixel, that's a cue to proceed cautiously.

6. Monitor your accounts and credit: Keep an eye out for unusual insurance claims or medical charges. Set up credit alerts or monitoring services if your provider offers them, especially after a breach.

7. Ask questions: Call or email your healthcare provider or insurer. Ask what tracking tools they use and how they protect your data. The more consumers push for transparency, the more pressure there is to improve standards.

If you want to go beyond the basics, here are some additional steps that can help reduce your digital footprint and catch misuse early:

Consider identity theft protection services: If you're concerned about fraud or medical identity theft, you'll want to consider using identity theft protection services. Identity theft companies can monitor personal information like your Social Security number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. 

It baffles me how careless most companies are when it comes to protecting user data. Blue Shield "mistakenly" shared your data with Google, which then used it to show personalized ads. It took the company three years to realize this. While most cyber incidents involve an attacker, this breach didn't need one. We need accountability in data practices, especially when human error or tech oversight can cause damage at scale.

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com.  All rights reserved.