Blue Shield of California’s decision to use a third-party tracker – Google Analytics – on its sites has led to what the health insurance company calls a potential data breach that may have resulted in protected health information getting shared with Google Ads.
The notice about the breach was issued on April 9, while the discovery about a Google Analytics configuration that allowed for Google Ad’s access to sensitive data was made on February 11 of this year.
However, the time period while the configuration was in place spanned almost three years – from April 2021 until January 2024, when the connection between the two Google services was “severed” on Blue Shield’s sites.
The data Blue Shield says was “likely” used by Google for its targeted advertising of those affected potentially included insurance plan details, patient name, their fiscal responsibility, family size, gender, city, ZIP code, insurer-assigned identifiers for medical claim service data and service provider, “Find a Doctor” search criteria (location, plan name and type, provider name and type).
On the bright side, the company said social security and driver’s license numbers, as well as banking or credit card information, were not “shared.”
The health insurer also states that it has started notifying some members about the incident, but that it cannot confirm if any of their specific information was compromised in this way – “due to the complexity and scope of the disclosures.”
However, Blue Shield claims that “no bad actor” was involved, and asserts that Google did not further share protected health information, or use it “for any purpose other than these ads.”
Members are now advised to “review account statements and notify law enforcement of suspicious activity,” as well as, “report any fraudulent activity or suspected incidence of identity theft” to either local law enforcement, the Attorney General, or the FTC.
The HIPAA Journal writes about the case as a reportable data breach – considering that HIPAA requires consent for the use of protected health information for advertising.
The report also notes that while, as of April 10, the breach was not listed on the Department of Health and Human Services’ Office for Civil Rights site – “due to the length of time the connection with Google Ads was active, this is likely to be a sizable data breach affecting many Blue Shield of California members.”
