Photo: Andrew Brookes/Getty Images
Blue Shield of California has sent notices to its members warning that it may have unwittingly shared the protected health information of 4.7 million people with Google over a three-year period.
The issue arose from a quirk in Google Analytics, the insurer said. Blue Shield of California has historically used Google Analytics to internally track website use of members who entered certain Blue Shield sites, ostensibly to improve services.
But earlier this year, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads. This data likely included protected health information.
Google may have used this data to conduct focused ad campaigns to those individual members, BS California said. The insurer emphasized that there was no bad actor involved, and to its knowledge, Google has not used the information for any purpose other than those ads or shared the protected information with anyone.
WHAT’S THE IMPACT
The data leaks affected about 4.7 million members, according to the Department of Health and Human Services’ Office for Civil Rights’ breach portal. BS California severed the connection between Google Analytics and Google Ads on its websites in January 2024.
It’s extremely unlikely, the insurer said, that any member data has been shared from Blue Shield’s websites with Google after the connection was severed.
The information that may have been impacted includes insurance plan name, type and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and “Find a Doctor” search criteria and results (location, plan name and type, provider name and type).
There was no disclosure of other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information, said BS California.
As a precautionary measure, the insurer recommends that members remain vigilant by closely reviewing their account statements and credit reports. If they detect any suspicious activity on an account, they should promptly notify the relevant financial institution.
Additionally, members should report any fraudulent activity or suspected incidence of identity theft to proper law enforcement authorities, including local law enforcement to file a police report, the attorney general or the Federal Trade Commission.
THE LARGER TREND
Most data breaches are due to some form of cyberattack. A KnowBe4 report published in June showed that a surge in cyberattacks contributed to a steep rise in cyberattack costs for healthcare organizations, with the average breach cost nearing $11 million – more than three times the global average – making healthcare the costliest sector for cyberattacks.
Ransomware attacks have dominated, accounting for more than 70% of successful cyberattacks on healthcare organizations in the past two years.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.
