Google Analytics is generally regarded as a benign advertising tool. It has run into some regulatory trouble in the EU due to the possibility of Google combining what it collects with more personalized profiles within its own systems, but otherwise anonymizes user activity. So the story of health insurance provider Blue Shield of California experiencing a data breach that involved it is an odd one, no less so for the fact that the majority of its customer base seems to have had some form of health data exposed.
The culprit appears to be misconfigured linkage between Analytics and Google’s broader ad network, which provides personalized data about ad recipients to bidders. It remains unclear if the health data leaked out to that third-party ecosystem or was only exposed to Google internally, but either way it is the type of sensitive information that should not be passing through Analytics in the first place.
Exposed health data may have included claim and condition information
The good news about the breach is that the health data did not contain financial details, Social Security numbers or patient records. However, it did include enough health insurance account details that a criminal could find the information useful in running a scam or attempting to fraudulently drain an account. There is also a general privacy issue as doctor search information was included, something that could point to a physical or mental condition.
That encompasses the general range of information that was exposed, but individual health insurance customers appear to have no way of knowing exactly which of their personal details may have been viewed. Blue Shield says that it is not possible for it to determine that on an individual basis, implying that customers should not expect individual breach notifications (there is a more general breach notice on the company website).
While it is not enough information for identity theft, health insurance fraud is a possibility. This could include criminals filing false claims or attempting to obtain drugs. All of this depends on how far the information went beyond Google’s ecosystem. If it stayed with them, it is a disturbing oversight but likely not a criminal concern. If it was provided to third-party advertisers there is greater reason for concern.
Health insurance cyber mishaps on the rise
The size of the health insurance breach, 4.7 million of about 6 million Blue Shield California customers, is not the only point of concern. The breach window was reportedly open from April 2021 to January 2024, nearly three continuous years. And it was also only detected in February of this year.
Impacted individuals may have had their names, city and zip code of residence, gender, and family size exposed. This may have been paired with some amount of health plan information (such as claim dates and provider names), and searches run using the website’s “Find a Doctor” feature.
This is the second breach for Blue Shield of California within a year, though the prior incident involved a third-party contractor. The health insurance giant was one of the parties included in the Young Consulting breach of August 2024, which exposed a little short of a million records total (though not all health data). That breach was a little worse as it included SSNs and customer dates of birth.
Health insurance company and patient care advertising misconfigurations have also become something of a theme in recent years. Something very similar happened to Advocate Aurora Health in 2022, with an error exposing data to Facebook and Google’s ad networks, and then again in 2024 with Kaiser Permanente. Risk from things like marketing pixel trackers and analytics tools is growing, but may still be overlooked by many organizations.
