Blue Shield of California has confirmed a serious privacy breach. Over 4.7 million members had their health data exposed to Google. The issue went unnoticed for almost three years.
It all started with a mistake in how their website used Google Analytics. Between April 2021 and January 2024, some member data was sent to Google Ads by accident. Blue Shield said it discovered the issue in February 2025. They had already cut the link between the tools by January.
The exposed information includes names, insurance plans, ZIP codes, medical claims, and even doctor search terms. While no Social Security numbers or bank details were involved, the data was still sensitive.
Blue Shield of California stated that Google may have used the information to serve ads, but not for anything else. There is no sign that hackers accessed the data or that Google shared it with others.
Still, security experts are raising concerns. Ensar Seker, CISO at SOCRadar, called this a clear failure in HIPAA compliance. He said patient data should never be sent to ad platforms without consent or proper agreements.
“This wasn’t just a tech slip-up,” Seker explained. “It shows that healthcare websites often rely on tools built for retail, not for protecting patient privacy.”
He also highlighted how long the data leak lasted. “Three years is too long for any breach to go unnoticed. It points to a lack of monitoring, oversight, and audit controls,” he added.
This isn’t the first case like this. In 2022, Advocate Aurora Health exposed data from 3 million patients using a tracking pixel. That data also reached platforms like Facebook and Google.
The U.S. Department of Health and Human Services confirmed the scale of the Blue Shield incident this week. It’s now one of the largest breaches of health data in recent memory.
Experts warn that healthcare companies need to rethink how they use digital tracking tools. What works for online shopping may be dangerous in healthcare.
