HomeScience & EnvironmentBlue Shield exposed 4.7...

Blue Shield exposed 4.7 million patients’ health data to Google

Healthcare institutions and insurers arguably collect the most sensitive information about you, including IDs, contact details, addresses and medical records. But they often don’t put in the same level of effort to protect that data. 

That’s clear from the growing number of healthcare data breaches we’ve seen recently. In most of those cases, a bad actor was involved. 

But in the latest news, health insurance giant Blue Shield of California confirmed that it had been sharing private health data of 4.7 million users with Google for three years without even realizing it.

STAY PROTECTED & INFORMED! GET SECURITY ALERTS & EXPERT TECH TIPS — SIGN UP FOR KURT’S THE CYBERGUY REPORT NOW

A person doing a Google search  (Kurt “CyberGuy” Knutsson))

What you need to know

Blue Shield of California just admitted to a major data privacy slip that went on for almost three years, from April 2021 to January 2024. It was using Google Analytics to track how people used its member websites. This is totally normal since every business does it. But the tool was accidentally sharing sensitive info with Google Ads because it wasn’t set up properly. 

What I find extremely shocking is that it took the company three years to realize it was sharing its user data with Google to run ads. This says a lot about how much these healthcare giants care about protecting your data. 

The shared data included a broad array of protected health information (PHI), including names, zip codes, gender, medical claim dates, online account numbers, insurance plan names, group numbers, family data and even search criteria used in its “Find a Doctor” feature.

“Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” the company said in a notice on its website.

This incident is not isolated. Over the past few years, healthcare and tech companies have come under scrutiny for similar missteps. The Federal Trade Commission (FTC) and the Department of Health and Human Services (HHS) have already issued warnings about the use of tracking technologies in healthcare, especially those that might expose patient data to third parties without adequate transparency or safeguards.

A Google spokesperson provided the following comment to CyberGuy when asked about the Blue Shield data breach:

“Businesses, not Google, manage the data they collect and must inform users about its collection and use. By default, any data sent to Google Analytics for measurement does not identify individuals, and we have strict policies against collecting private health information (PHI) or advertising based on sensitive information.”

person typing on laptop

A person working on their laptop  (Kurt “CyberGuy” Knutsson)

MALWARE EXPOSES 3.9 BILLION PASSWORDS IN HUGE CYBERSECURITY THREAT 

Impact on patients and the industry

Since the data was only shared with Google and not any other party, the overall risk is relatively low, apart from the clear privacy violation. It’s highly unlikely that anyone else will gain access to it, so the chances of the data being misused are slim. Google says it doesn’t allow ads to be served based on sensitive information like health, so there’s a good chance your data wasn’t even used for advertising.

Blue Shield’s case follows a string of similar breaches. Companies like GoodRx, BetterHelp and Kaiser have all faced regulatory and legal consequences for sharing sensitive user data with advertising vendors. Some even settled for millions of dollars. Despite the risks, many healthcare organizations have continued using these tools due to the lack of clear regulatory guardrails, a situation complicated further by a federal court ruling that blocked the Biden administration’s attempts to curb the use of online trackers in healthcare settings.

WHAT IS ARTIFICIAL INTELLIGENCE (AI)?

typing on a laptop

A person working on a laptop (Kurt “CyberGuy” Knutsson)

HOW TO REMOVE YOUR PRIVATE DATA FROM THE INTERNET

How to protect your health data online

The Blue Shield of California incident is a reminder that even well-known healthcare providers can mishandle sensitive data. While you can’t always control what happens behind the scenes, there are steps you can take to reduce your exposure and safeguard your privacy:

1. Limit what you share on health portals: Avoid entering more personal details than absolutely necessary on insurance or provider websites. Tools like “Find a Doctor” might log your search terms, so keep inputs vague when possible.

2. Use privacy-focused browsersBrowsers like Brave or Firefox offer built-in privacy protections, such as blocking third-party trackers that could expose health-related browsing activity.

3. Turn off ad personalization: Visit Google’s Ad Settings and disable ad personalization. This won’t stop tracking, but it can reduce how your data is used for targeting.

4. Opt out of tracking where possible: Many healthcare sites use cookies and tracking tools. Choose “reject all” or the strictest privacy settings in cookie banners. If a tracking opt-out tool is available, use it.

5. Read privacy policies (yes, really): Look for language like “third-party sharing,” “advertising,” or “analytics.” If a healthcare provider mentions tools like Google Analytics or Meta Pixel, that’s a cue to proceed cautiously.

6. Monitor your accounts and credit: Keep an eye out for unusual insurance claims or medical charges. Set up credit alerts or monitoring services if your provider offers them, especially after a breach.

7. Ask questions: Call or email your healthcare provider or insurer. Ask what tracking tools they use and how they protect your data. The more consumers push for transparency, the more pressure there is to improve standards.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

Bonus privacy steps (For extra peace of mind)

If you want to go beyond the basics, here are some additional steps that can help reduce your digital footprint and catch misuse early:

Use a personal data removal service: While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap — and neither is your privacy.  These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet.  By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you. Check out my top picks for data removal services here. 

Consider identity theft protection services: If you’re concerned about fraud or medical identity theft, you’ll want to consider using identity theft protection services. Identity theft companies can monitor personal information like your Social Security number, phone number and email address and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. 

Use strong antivirus software: To guard against malware or phishing attacks that could compromise access to your online health accounts, be sure to use strong antivirus software. The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2025 antivirus protection winners for your Windows, Mac, Android and iOS devices. 

Kurt’s key takeaway

It baffles me how careless most companies are when it comes to protecting user data. Blue Shield “mistakenly” shared your data with Google, which then used it to show personalized ads. It took the company three years to realize this. While most cyber incidents involve an attacker, this breach didn’t need one. We need accountability in data practices, especially when human error or tech oversight can cause damage at scale.

CLICK HERE TO GET THE FOX NEWS APP

How comfortable are you knowing that your health data might be used to target ads? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you’d like us to cover

Follow Kurt on his social channels

Answers to the most asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com.  All rights reserved.

Source link

Most Popular

More from Author

Read Now

Emma Heming Willis makes tearful confession about husband Bruce’s condition

Emma Heming Willis, wife of Bruce Willis, tearfully shared she still catches rare flashes of her husband’s personality after...

Business news live: FTSE 100 drops and Poundland is saved from going into administration

Business and Money live - 26 AugustMorning all and welcome back to our live business and finance coverage on The Independent.This morning we’re looking at food inflation rising, the stock market reopening in London and plenty more.Karl Matchett26 August 2025 08:09Food inflation rises to 4.2% - fastest...

From kitchen staple to natural shield: What garlic can do for our health

Garlic is not just a common kitchen ingredient and a flavour enhancer, but also a potent medicine. For ages it has been part of traditional medicines and Ayurveda regards it as an effective cure for several ailments. From applying garlic-infused oil to eating a clove...

Stone Age settlement lost to rising seas 8,500 years ago found off Denmark coast

Bay of Aarhus, Denmark — Below the dark blue waters of the Bay of Aarhus in northern Denmark, archaeologists search for coastal settlements swallowed by rising sea levels more than 8,500 years ago. This summer, divers descended about 26 feet below the waves close...

Corporate earnings: RBI data shows listed firms’ sales growth slows to 5.5% in Q1, IT and manufacturing drag overall pace

Sales growth of listed private non-financial companies slowed to 5.5 per cent in the first quarter of FY26, down from 6.9 per cent in the same period last year, according to data released by the Reserve Bank of India (RBI) on Monday. The figures were...

Berlin’s ‘Moors’ Street’ renamed after years of controversy

A central Berlin street is being officially renamed on Saturday for an 18th-century African philosopher after years of debate...

ISRO Completes First Integrated Air Drop Test For Gaganyaan Mission | Science & Environment News

NEW DELHI: The Indian Space Research Organisation (ISRO) has successfully conducted its first Integrated Air Drop Test (IADT-01), marking a key milestone in the preparation for India's ambitious Gaganyaan Mission. According to ISRO, the successful trial was a collaborative effort involving multiple defence and research organisations, including...

Blue badge holders should not pay airport drop-off fees, charity says

Mitchell LabiakBusiness reporter, BBC NewsGetty ImagesAll UK airports should stop charging blue badge holders for being dropped off close to terminals, a disability charity has said.Several people with blue badges got in touch with the BBC following news that more than half of the busiest airports had...