On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information. Google may have used this data to conduct focused ad campaigns back to those individual members.
Blue Shield severed the connection between Google Analytics and Google Ads on its websites in January 2024.
What information was involved
- Insurance plan name, type and group number;
- city;
- zip code;
- gender;
- family size;
- Blue Shield assigned identifiers for members’ online accounts;
- medical claim service date and service provider, patient name, and patient financial responsibility;
- “Find a Doctor” search criteria and results (location, plan name and type, provider name and type).
It goes further than that. They can track how people interact with the page, order of buttons pressed, if or when they abort a workflow etc. You can go as deep down the rabbit hole of analytics and optimizations as you want.