On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information. Google may have used this data to conduct focused ad campaigns back to those individual members.
Blue Shield severed the connection between Google Analytics and Google Ads on its websites in January 2024.
What information was involved
- Insurance plan name, type and group number;
- city;
- zip code;
- gender;
- family size;
- Blue Shield assigned identifiers for members’ online accounts;
- medical claim service date and service provider, patient name, and patient financial responsibility;
- “Find a Doctor” search criteria and results (location, plan name and type, provider name and type).
“Better” ads most likely, aka more personalized.
edit:
That’s their exact language
Allowing Google to run an ad campaign targeting their members wasn’t the benefit Blue Cross was talking about, that’s a side effect from them not turning off the data sharing option in the Google analytics settings.
The analytics data is used for prioritizing development work. If a tool they have on the website relies on a library that isn’t compatible with a new version of React, for instance, do they know how many people use it? Having analytics allows you to decide what’s worth spending the development time to maintain.