US health insurance giant Blue Shield of California handed sensitive health information belonging to as many as 4.7 million members to Google’s advertising empire, likely without these individuals’ knowledge or consent.
The data shared may have included medical claim dates and providers used, which raises the specter of Google targeting ads based on the fact that you booked an appointment with a certain type of doctor – say, a cancer specialist, fertility clinic, or psychiatrist.
Other info potentially shared with Google ranged from patient names, insurance plan details, city of residence and zip code, gender, family size, and Blue Shield-assigned account identifiers, to financial responsibility info, and search queries and results for the “Find a Doctor” tool — including location, plan type, and provider details.
Exactly what was shared depended on what healthcare you were receiving, and whether you accessed or entered your info into Blue Shield’s websites between 2021 and 2024, from what we can tell.
Blue Shield gave this info to Google via its visitor analysis tool, and the web giant may have used that data to target individuals with tailored ads, according to a privacy breach notification sent this month by Blue Shield to 4.7 million people potentially caught up in this blunder.
As we understand it, Blue Shield embedded into its webpages code that would send visitor data to Google Analytics, a suite of tools for monitoring and measuring website users. In turn, these logs were passed to Google Ads due to a configuration fumble by the insurer.
“Like other health plans,” Blue Shield previously used Google Analytics to track how members interact with its websites and which sites they visit, the insurance company admitted. The outfit claims this was all “to improve the services we provide to our members.”
That health info did not necessarily remain between the insurer and its members, however.
Google may have used this data to conduct focused ad campaigns back to those individual members
“On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information,” according to an April 9 notice on the insurance goliath’s website.
“Google may have used this data to conduct focused ad campaigns back to those individual members,” the note continued. “We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone.”
You might have noted the uncertainty in Blue Shield’s statements, which it blames on the “complexity and scope of the disclosures,” saying “Blue Shield is unable to confirm whether any particular member’s specific information was affected.”
Blue Shield says it “severed” the connection between Google Analytics and Google Ads on its websites in January 2024, and has “no reason to believe” that any member data has been shared since.
“Upon discovering the issue, Blue Shield immediately initiated a review of its websites and security protocols to ensure that no other analytics tracking software is impermissibly sharing members’ protected health information,” the insurer noted.
Blue Shield declined to answer The Register‘s questions, including how it discovered this years-long data leak, and what other third-party trackers (if any) are on its websites.
We also reached out to Google to find out what and how much health information it collected, how it used this data, and what has happened to this data since Blue Shield booted its tracking software off of its sites.
We will update this story if and when we hear back from either outfit.
“This isn’t just a technical misstep. It’s a HIPAA compliance failure,” Ensar Seker, CISO at threat intel firm SOCRadar, told The Register, referring to America’s Health Insurance Portability and Accountability Act that safeguards medical data.
“Protected health information should never be sent to platforms like Google Ads or Analytics, especially without explicit patient consent and proper business associate agreements in place.”
Privacy implications from this SNAFU “are significant,” Seker added. “Such data can be used to infer medical conditions, insurance status, or treatment history, and that creates a risk not just of identity theft, but of discrimination, stigma, and profiling.”
As The Register has reported in the past, this is an all too common occurrence with hospitals and healthcare orgs, which frequently use tracking tech on their websites and then share this user information with Google, Meta, data brokers, and other third parties.
While we’re all used to hyper-personalized ads following us around the web, it’s especially alarming with health data, which we usually expect to remain a private matter between patients and their doctors. ®