Blue Shield exposed 4.7M patients’ health data to Google

Building with Blue Shield of California banner

Healthcare institutions and insurers arguably collect the most sensitive information about you, including IDs, contact details, addresses, and medical records. But they often don’t put in the same level of effort to protect that data. That’s clear from the growing number of healthcare data breaches we’ve seen recently. In most of those cases, a bad actor was involved. But in the latest news, health insurance giant Blue Shield of California confirmed that it had been sharing private health data of 4.7 million users with Google for three years without even realizing it.

 

 

Stay protected & informed! Get security alerts & expert tech tips—sign up for Kurt’s The CyberGuy Report now

 

A person is using laptop

 

What you need to know

Blue Shield of California just admitted to a major data privacy slip that went on for almost three years, from April 2021 to January 2024. They were using Google Analytics to track how people used their member websites. This is totally normal since every business does it. But the tool was accidentally sharing sensitive info with Google Ads because it wasn’t set up properly. 

What I find extremely shocking is that it took the company three years to realize they were sharing their user data with Google to run ads. This tells a lot about how much these healthcare giants care about protecting your data. 

The shared data included a broad array of protected health information (PHI), including names, zip codes, gender, medical claim dates, online account numbers, insurance plan names, group numbers, family data, and even search criteria used in their “Find a Doctor” feature.

“Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” the company said in a notice on its website.

This incident is not isolated. Over the past few years, healthcare and tech companies have come under scrutiny for similar missteps. The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have already issued warnings about the use of tracking technologies in healthcare, especially those that might expose patient data to third parties without adequate transparency or safeguards.

A Google spokesperson provided the following comment to CyberGuy when asked about the Blue Shield data breach:

“Businesses, not Google, manage the data they collect and must inform users about its collection and use. By default, any data sent to Google Analytics for measurement does not identify individuals, and we have strict policies against collecting Private Health Information (PHI) or advertising based on sensitive information.”

A person is using laptop

 

MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT

 

Impact on patients and the industry

Since the data was only shared with Google and not any other party, the overall risk is relatively low, apart from the clear privacy violation. It’s highly unlikely that anyone else will gain access to it, so the chances of the data being misused are slim. Google says it doesn’t allow ads to be served based on sensitive information like health, so there’s a good chance your data wasn’t even used for advertising.

Blue Shield’s case follows a string of similar breaches. Companies like GoodRx, BetterHelp, and Kaiser have all faced regulatory and legal consequences for sharing sensitive user data with advertising vendors. Some even settled for millions of dollars. Despite the risks, many healthcare organizations have continued using these tools due to the lack of clear regulatory guardrails — a situation complicated further by a federal court ruling that blocked the Biden administration’s attempts to curb the use of online trackers in healthcare settings.

A person is using laptop

 

HOW TO REMOVE YOUR PRIVATE DATA FROM THE INTERNET

 

How to protect your health data online

The Blue Shield of California incident is a reminder that even well-known healthcare providers can mishandle sensitive data. While you can’t always control what happens behind the scenes, there are steps you can take to reduce your exposure and safeguard your privacy:

1) Limit what you share on health portals: Avoid entering more personal details than absolutely necessary on insurance or provider websites. Tools like “Find a Doctor” might log your search terms, so keep inputs vague when possible.

2) Use privacy-focused browsers: Browsers like Brave or Firefox offer built-in privacy protections, such as blocking third-party trackers that could expose health-related browsing activity.

3) Turn off ad personalization: Visit Google’s Ad Settings and disable ad personalization. This won’t stop tracking, but it can reduce how your data is used for targeting.

4) Opt out of tracking where possible: Many healthcare sites use cookies and tracking tools. Choose “reject all” or the strictest privacy settings in cookie banners. If a tracking opt-out tool is available, use it.

5) Read privacy policies (yes, really): Look for language like “third-party sharing,” “advertising,” or “analytics.” If a healthcare provider mentions tools like Google Analytics or Meta Pixel, that’s a cue to proceed cautiously.

6) Monitor your accounts and credit: Keep an eye out for unusual insurance claims or medical charges. Set up credit alerts or monitoring services if your provider offers them, especially after a breach.

7) Ask questions: Call or email your healthcare provider or insurer. Ask what tracking tools they use and how they protect your data. The more consumers push for transparency, the more pressure there is to improve standards.

 

Bonus privacy steps (For extra peace of mind)

If you want to go beyond the basics, here are some additional steps that can help reduce your digital footprint and catch misuse early:

Use a personal data removal service: While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice.  They aren’t cheap – and neither is your privacy.  These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites.  It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet.  By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. 

Incogni, a service I trust 100% and use myself, helps automate the process by submitting removal requests to hundreds of data brokers and people-search sites on your behalf.

Incogni automatically contacts data brokers on your behalf and requests the removal of your personal information. It also continues monitoring those sites and submits new removal requests if your data reappears.

  • Incogni currently removes personal data from 420+ data broker and people-search websites, and its Unlimited plan allows you to request removals from as many additional sites as you need.
  • Incogni has also received third-party assurance from Deloitte, validating its marketing claims.
  • The goal is simple: make it much harder for strangers, scammers, and cybercriminals to find your personal information online.

CyberGuy Exclusive: 60% off

CyberGuy readers get 60% off Incogni’s annual plans using the links in this article.

The service also includes a 30-day money-back guarantee, so you can try it risk-free and see how much of your information is exposed online.

Get Incogni and remove your info
Get Incogni’s Family Plan

   

 

Consider identity theft protection services: If you’re concerned about fraud or medical identity theft, you’ll want to consider using identity theft protection services. Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address, and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. 

One of the best parts of my top pick, Aura Identity Protection, is its all-in-one approach to safeguarding your personal and financial life. Aura includes identity theft insurance of up to $1 million per adult to cover eligible losses and legal fees, plus 24/7 U.S.-based fraud resolution support with dedicated case managers ready to help restore your identity fast.

Exclusive CyberGuy deal: Save up to 68% today: Get Aura’s award-winning identity theft protection and credit monitoring for as low as $9/month when billed annually.

See my full list of trusted identity theft protection services and expert tips to stay safe online.

 

Use strong antivirus software: To guard against malware or phishing attacks that could compromise access to your online health accounts, be sure to use strong antivirus software. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

One of the top solutions we recommend is Norton Antivirus Plus, which extends protection beyond just traditional virus scanning. While iPhones have strong built-in security, Norton adds an important extra layer by helping block malicious websites, phishing links, and unsafe downloads before they can cause harm. If you accidentally tap a bad link in an email, text message, or social media post, Norton helps prevent access to known dangerous sites using its continuously updated threat intelligence. If you are interested in a strong antivirus with phone customer service, we recommend Norton Antivirus Plus. This product includes:
  • Strong real-time protection against viruses, malware, ransomware and hacking attempts
  • AI-powered scam protection to help identify suspicious emails, texts and websites
  • Built-in password manager to securely store and manage logins
  • 2 GB PC cloud backup to help protect important files from ransomware or hardware failure
  • Smart firewall and phishing protection
COVERAGE
  • Protects 1, 3 or 5 devices
  • Available for Windows, macOS, Android and iOS
  • Includes real-time threat protection, smart firewall and phishing protection to guard against online attacks
EXCLUSIVE CYBERGUY DEAL: 58% off (year 1) Please note that the above product is the core antivirus product. Norton may try to upsell additional products, but we don’t recommend them. We encourage you to decline those offers.

 

 

Kurt’s key takeaway

It baffles me how careless most companies are when it comes to protecting user data. Blue Shield “mistakenly” shared your data with Google, which then used it to show personalized ads. It took the company three years to realize this. While most cyber incidents involve an attacker, this breach didn’t need one. We need accountability in data practices, especially when human error or tech oversight can cause damage at scale.

How comfortable are you knowing that your health data might be used to target ads? Let us know in the comments below.

FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Copyright 2025 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.