Blue Shield exposed 4.7 million patients’ health data to Google
Healthcare institutions and insurers are entrusted with some of the most sensitive information about individuals, including IDs, contact details, addresses, and medical records. However, recent incidents have shown that these entities do not always prioritize the protection of this data. A prime example of this is the recent revelation by health insurance giant Blue Shield of California that it had been sharing private health data of 4.7 million users with Google for three years without their knowledge.
The data privacy slip occurred from April 2021 to January 2024, during which Blue Shield of California was using Google Analytics to track user activity on its member websites. While this is a common practice for businesses, the tool was inadvertently sharing sensitive information with Google Ads due to improper setup. The shared data included a wide range of protected health information, such as names, zip codes, gender, medical claim dates, online account numbers, insurance plan names, group numbers, family data, and search criteria used in the “Find a Doctor” feature.
It is concerning that it took the company three years to realize that it was sharing user data with Google for advertising purposes. This oversight highlights the lack of priority placed on protecting user data by healthcare organizations. Despite Blue Shield’s assurance that no bad actor was involved and that Google had not used the information for any other purpose, the incident raises questions about the security practices of healthcare providers.
This breach is not an isolated incident in the healthcare industry, as other companies have faced similar scrutiny for sharing sensitive user data with third-party vendors. Regulatory bodies like the Federal Trade Commission and the Department of Health and Human Services have issued warnings about the use of tracking technologies in healthcare settings that may expose patient data without adequate safeguards.
While the overall risk to patients from the Blue Shield data breach is relatively low since the data was only shared with Google, it underscores the importance of safeguarding personal information. Patients can take steps to protect their health data online, such as limiting what they share on health portals, using privacy-focused browsers, turning off ad personalization, opting out of tracking, reading privacy policies, monitoring accounts and credit, and asking questions of healthcare providers.
In addition to these basic steps, individuals can consider using personal data removal services, identity theft protection services, and strong antivirus software for extra peace of mind. By taking proactive measures to reduce their digital footprint and safeguard their personal information, individuals can minimize the risk of unauthorized access and misuse of their data.
Overall, the Blue Shield of California data breach serves as a reminder of the importance of data privacy and the need for healthcare organizations to prioritize the protection of sensitive information. Patients should be vigilant about how their data is being used and take steps to ensure their privacy and security online.
