Blue Shield of California Says Google Analytics Behind PHI Data Breach

Blue Shield of California is notifying members of a potential data breach, which stemmed from the use of Google Analytics and may have included protected health information (PHI). The insurance company cannot confirm who was impacted, so they have chosen to notify all members who may have accessed their information on Blue Shield websites.

How did the Blue Shield Data Breach Happen?

Blue Shield used Google Analytics to track member activity on company websites. In February 2025, Blue Shield discovered that from April 2021 to January 2025, Google Analytics was configured in a manner that allowed member data, likely including PHI, to be shared with Google Ads. The information that was potentially shared included:

• Insurance plan name, type, and group number
• City and zip code
• Gender
• Family size
• Blue Shield online account data
• Medical claim dates, service providers, and patient financial responsibility

Google could have then used the shared information to target specific ads for the affected members. Blue Shield stated that no bad actors were involved in the breach, and Blue Shield does not believe at this time that Google shared the data with anyone else or used the information for any purpose other than targeting ads.

According to Blue Shield, personal data, including social security numbers, driver’s license numbers, or bank information, were not disclosed.

After the breach was discovered, Blue Shield reviewed its websites and security protocols to ensure that no other analytics tracking software was impermissibly sharing members’ protected health information.

This data breach was the result of Google Analytics sharing data (including potentially PHI) with Google Ads. If you’re concerned your organization’s Google Analytics account is synced with Google Ads, this support webpage from Google is a resource to help you determine if that’s the case.

Web Tracker Risks

The use of web tracker technologies like Meta Pixel and Google Analytics, continues to create risk for healthcare organizations.

In 2024, Kaiser Permanente notified more than 13 million people that web tracking tools on its website and apps resulted in their data being disclosed to Microsoft, Google, and X. The types of data potentially disclosed included names, IP addresses, and search terms used on the company’s health encyclopedia, such as symptoms, drugs, injuries, and exercises.

Similarly, GoodRx agreed to a $25 million class action lawsuit settlement after plaintiffs argued that health information relating to medical treatments and prescriptions were communicated through the GoodRx platform were disclosed to and intercepted by technology companies, including Meta and Google. The sharing of data was made possible using Meta Pixel and other tracking technologies.

In 2023, GoodRx was fined $1.5 million by the Federal Trade Commission (FTC) for failing to report unauthorized disclosures of consumer health data to Facebook, Google, and other companies.

To learn more about configuring your website’s privacy functions and controls to reduce the risk of data breaches, HIPAA violations, and potential lawsuits, watch or listen to our Website Privacy Functions and Controls podcast episode. A transcript of the episode is also available.

CompliancePoint offers an extensive suite of services to help healthcare organizations solve their cybersecurity and healthcare challenges, including HIPAA compliance, cookie management, and HITRUST certification. Contact us at connect@compliancepoint.com to learn more.