Impermissible Disclosure of Blue Shield of California Members’ PHI to Google Ads

April 20, 2025HIPAA News0

Blue Shield of California, a medical insurance plan company, reported a privacy breach involving web trackers that share user data with Google’s promotion service, Google Ads.

Blue Shield of California mentioned installing Google Analytics to monitor visitors using certain Blue Shield web pages. Site owners generally employ Google Analytics to collect information regarding website usage, such as how visitors get there and the pages they go to. The data helps to enhance the website’s usefulness to users.

On February 11, 2025, Blue Shield of California found out that Google Analytics was set up in a manner that allowed the sharing of member information with Google Ads for nearly 3 years. From April 2021 to January 2024, the setup possibly led to the collection of members’ protected health information (PHI), which was used to show them personalized ads on the web via the Google Ads program.

The types of information possibly exposed and used for promotion purposes differed from person to person depending on their use of Blue Shield web pages, and might have involved patient names, insurance policy name, type and group number, gender, family size, city, zip code, Blue Shield designated ID for members’ online accounts, patient financial responsibility, medical claim service date and service provider. When website visitors utilized the “Find a Doctor” function, the search conditions and results (place, plan type, plan name, name of provider) might likewise have been exposed.

Blue Shield of California said that no bad actors viewed user information, and the data gathered from website visitors will only have been utilized for marketing purposes. Blue Shield of California mentioned that the link between Google Analytics and Google Ads was cut in January 2024, and after that, there are no hints that other data was disclosed to Google Ads. When the concern was discovered, Blue Shield of California started a complete analysis of its web pages and security practices to make sure that other third-party tracking codes do not impermissibly disclose users’ information.

Because using PHI for marketing purposes without permission is not allowable under HIPAA law, the privacy breach is a reportable data breach. At this time, the breach is not posted on the breach portal of the Department of Health and Human Services’ Office for Civil Rights. Because of the long duration of time that Google Analytics had an active connection with Google Ads, this is possibly going to be a massive data breach impacting a lot of members of Blue Shield of California.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.