Blue Shield exposed 4.7 million patients’ health data to Google

Healthcare institutions and insurers arguably collect the most sensitive information about you, including IDs, contact details, addresses and medical records. But they often don’t put in the same level of effort to protect that data. 

That’s clear from the growing number of healthcare data breaches we’ve seen recently. In most of those cases, a bad actor was involved. 

But in the latest news, health insurance giant Blue Shield of California confirmed that it had been sharing private health data of 4.7 million users with Google for three years without even realizing it.

STAY PROTECTED & INFORMED! GET SECURITY ALERTS & EXPERT TECH TIPS — SIGN UP FOR KURT’S THE CYBERGUY REPORT NOW

What you need to know

Blue Shield of California just admitted to a major data privacy slip that went on for almost three years, from April 2021 to January 2024. It was using Google Analytics to track how people used its member websites. This is totally normal since every business does it. But the tool was accidentally sharing sensitive info with Google Ads because it wasn’t set up properly. 

What I find extremely shocking is that it took the company three years to realize it was sharing its user data with Google to run ads. This says a lot about how much these healthcare giants care about protecting your data. 

The shared data included a broad array of protected health information (PHI), including names, zip codes, gender, medical claim dates, online account numbers, insurance plan names, group numbers, family data and even search criteria used in its “Find a Doctor” feature.

“Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” the company said in a notice on its website.

This incident is not isolated. Over the past few years, healthcare and tech companies have come under scrutiny for similar missteps. The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have already issued warnings about the use of tracking technologies in healthcare, especially those that might expose patient data to third parties without adequate transparency or safeguards.

A Google spokesperson provided the following comment to CyberGuy when asked about the Blue Shield data breach:

“Businesses, not Google, manage the data they collect and must inform users about its collection and use. By default, any data sent to Google Analytics for measurement does not identify individuals, and we have strict policies against collecting private health information (PHI) or advertising based on sensitive information.”

MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT 

Impact on patients and the industry

Since the data was only shared with Google and not any other party, the overall risk is relatively low, apart from the clear privacy violation. It’s highly unlikely that anyone else will gain access to it, so the chances of the data being misused are slim. Google says it doesn’t allow ads to be served based on sensitive information like health, so there’s a good chance your data wasn’t even used for advertising.

Blue Shield’s case follows a string of similar breaches. Companies like GoodRx, BetterHelp and Kaiser have all faced regulatory and legal consequences for sharing sensitive user data with advertising vendors. Some even settled for millions of dollars. Despite the risks, many healthcare organizations have continued using these tools due to the lack of clear regulatory guardrails, a situation complicated further by a federal court ruling that blocked the Biden administration’s attempts to curb the use of online trackers in healthcare settings.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

HOW TO REMOVE YOUR PRIVATE DATA FROM THE INTERNET

How to protect your health data online

The Blue Shield of California incident is a reminder that even well-known healthcare providers can mishandle sensitive data. While you can’t always control what happens behind the scenes, there are steps you can take to reduce your exposure and safeguard your privacy:

1. Limit what you share on health portals: Avoid entering more personal details than absolutely necessary on insurance or provider websites. Tools like “Find a Doctor” might log your search terms, so keep inputs vague when possible.

2. Use privacy-focused browsers: Browsers like Brave or Firefox offer built-in privacy protections, such as blocking third-party trackers that could expose health-related browsing activity.

3. Turn off ad personalization: Visit Google’s Ad Settings and disable ad personalization. This won’t stop tracking, but it can reduce how your data is used for targeting.

4. Opt out of tracking where possible: Many healthcare sites use cookies and tracking tools. Choose “reject all” or the strictest privacy settings in cookie banners. If a tracking opt-out tool is available, use it.

5. Read privacy policies (yes, really): Look for language like “third-party sharing,” “advertising,” or “analytics.” If a healthcare provider mentions tools like Google Analytics or Meta Pixel, that’s a cue to proceed cautiously.

6. Monitor your accounts and credit: Keep an eye out for unusual insurance claims or medical charges. Set up credit alerts or monitoring services if your provider offers them, especially after a breach.

7. Ask questions: Call or email your healthcare provider or insurer. Ask what tracking tools they use and how they protect your data. The more consumers push for transparency, the more pressure there is to improve standards.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

Bonus privacy steps (For extra peace of mind)

If you want to go beyond the basics, here are some additional steps that can help reduce your digital footprint and catch misuse early:

Use a personal data removal service: While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap — and neither is your privacy.  These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet.  By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here. 

Consider identity theft protection services: If you’re concerned about fraud or medical identity theft, you’ll want to consider using identity theft protection services. Identity theft companies can monitor personal information like your Social Security number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. 

Use strong antivirus software: To guard against malware or phishing attacks that could compromise access to your online health accounts, be sure to use strong antivirus software. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 

Kurt’s key takeaway

It baffles me how careless most companies are when it comes to protecting user data. Blue Shield “mistakenly” shared your data with Google, which then used it to show personalized ads. It took the company three years to realize this. While most cyber incidents involve an attacker, this breach didn’t need one. We need accountability in data practices, especially when human error or tech oversight can cause damage at scale.

CLICK HERE TO GET THE FOX NEWS APP

How comfortable are you knowing that your health data might be used to target ads? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you’d like us to cover

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com.  All rights reserved.