154/68 Friday, April 25, 2025
Blue Shield of California has disclosed a data breach in which Protected Health Information (PHI) of more than 4.7 million members was inadvertently exposed to Google’s analytics and advertising platforms. The breach was due to a misconfiguration of Google Analytics on certain sections of the organization’s website. The incident occurred between April 2021 and January 2024, and the U.S. Department of Health and Human Services (HHS) has recently updated its breach reporting system to confirm the number of affected individuals.
The types of data exposed include:
- Insurance plan names, group types, and group numbers
- ZIP codes, gender
- Online account member IDs
- Dates of medical services, providers, patient names, and patient responsibility amounts
- Search data from the “Find a Doctor” tool, including locations, plan names, provider names, and provider types
However, Blue Shield has confirmed that other personal information such as Social Security numbers, driver’s licenses, bank account information, and credit card data were not compromised in this incident. Members are advised to monitor their accounts and credit reports to safeguard against any potential misuse.
This marks the second significant IT-related issue for Blue Shield within a year. Last year, nearly one million members’ data was stolen by the BlackSuit ransomware group through a breach at Connexure (formerly known as Young Consulting), a third-party software provider.
