Blue Defend of California uncovered the well being knowledge of 4.7 million members to Google for years as a consequence of a Google Analytics misconfigured setup. No SSNs leaked.
Blue Defend of California, a significant medical health insurance supplier, has introduced that the non-public data of about 4.7 million of its members was uncovered to Google’s promoting and analytics companies. This occurred over practically three years, from April 2021 to January 2024.
The insurer states (PDF) that they used Google Analytics to trace how clients used their web sites. A misconfiguration on this setup allowed protected well being data to be collected as properly, together with the particular phrases and phrases that sufferers typed into the web site to seek out medical doctors and different healthcare companies.
On February 11, 2025, they found that Google Analytics had been arrange in a method that allowed some member knowledge to be shared with Google’s promoting platform, Google Advertisements, and it could have used it to point out focused advertisements to particular person members, doubtlessly compromising their privateness.
The knowledge shared may embody the insurance coverage plan identify, group quantity, metropolis and zip code, gender, household measurement, Blue Defend assigned identification numbers for on-line accounts, the date of medical service, identify of the physician or hospital, affected person owed quantity, and phrases used when trying to find a health care provider on the “Discover a Physician” device. Nonetheless, the corporate confirmed that non-public data, like Social Safety numbers, driver’s license numbers, or financial institution and bank card particulars, weren’t uncovered on this incident.
Blue Defend halted the connection between Google Analytics and Google Advertisements on its web sites in January 2024. The corporate is now reviewing its web sites and safety procedures to stop different monitoring software program from sharing members’ non-public well being data.
In its breach notification, Blue Defend acknowledged that it can’t affirm if Google has seen any particular member’s data, however is informing all members who might have used their on-line accounts on Blue Defend’s web sites throughout that timeframe out of warning.
The corporate is reassuring members that no malicious hackers have been concerned within the incident that Google solely used the knowledge for commercials and has not shared the non-public well being particulars with anybody else, and expressed its dedication to safeguarding its members’ privateness
“Blue Defend takes this matter very critically and has already initiated measures to safeguard towards comparable future disclosures,” the corporate acknowledged.
On condition that the corporate had round 4.5 million members in 2022, this breach doubtless impacts nearly all of Blue Defend’s clients. Based on the U.S. Well being Division’s Workplace of Civil Rights, the Blue Defend of California knowledge publicity is the most important healthcare-related breach within the US to this point in 2025.
Blue Defend is urging members to observe their account statements and credit score reviews for suspicious exercise and if they believe fraudulent exercise or imagine their id has been stolen, they need to report it to legislation enforcement companies. Members may also entry a free credit score report each 12 months from three essential credit score reporting companies or buy it immediately.
Jim Routh, Chief Belief Officer at Saviynt, instructed Hackread.com that breaches like this are more likely to proceed. He identified that platforms like Google Analytics acquire behavioural and private knowledge for advert focusing on, and it’s as much as firms like Blue Defend of California to correctly configure these instruments.
“Whereas SSNs weren’t uncovered, the leaked health-specific knowledge ought to by no means have been shared. And the truth that this breach was disclosed months after it was found can also be regarding,” he mentioned.
Since Google had entry to all that delicate health-related data for practically three years, there’s no indication the corporate flagged it or reported it. It raises some severe questions:
- In the event that they did, did they quietly use it for advert focusing on?
- Why didn’t any inner safeguards catch that well being knowledge was coming by means of?
