Dive Brief:
A data breach at Blue Shield of California exposed information from 4.7 million people, according to a notice filed with federal regulators earlier this month.
In February, the insurer learned that Google Analytics, a vendor Blue Shield employs to track use of its websites, was sharing member data with the advertising service Google Ads from April 2021 through January 2024, according to a breach notice.
Blue Shield can’t confirm whether any particular beneficiary’s information is affected due to “the complexity and scope of the disclosures,” so the insurer is notifying all members who could have accessed their information on affected websites during the nearly three-year period.
Dive Insight:
The insurer said it severed the connection between Google Analytics and Google Ads early last year, and conducted a review to ensure no other analytics tracking software was exposing members’ protected health data.
Still, Google may have used the information before the relationship between the services was cut to target ad campaigns to beneficiaries.
“We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” the insurer said in the notice.
The incident at Blue Shield is the second-largest healthcare breach reported so far this year, according to a portal managed by the HHS’ Office for Civil Rights.
Data exposed could include health plan details and information about members’ online accounts as well as location information, gender and family size. Medical claim and service dates, provider and patient names and their financial responsibility for services, as well as search criteria and results from “Find a Doctor” searches, could be compromised too.
However, Social Security numbers, driver’s license numbers and banking and credit card details weren’t exposed, Blue Shield said in a breach notice.
The use of online tracking software, or technology embedded in a website or app that gathers information about user behavior, among healthcare organizations has drawn regulatory scrutiny in recent years.
Under the Biden administration, federal regulators warned telehealth companies and hospitals about using the software on their websites and apps, arguing they risk exposing protected health data to third parties. However, the HHS lost a lawsuit filed by provider groups last year over government guidance that sought to limit the use of tracking technologies, and some of the guidance was overturned.
The trackers are widespread on hospital websites, according to a 2023 study published in Health Affairs. Additionally, an analysis published last spring by data privacy firm Lokker found one-third of healthcare companies used the Meta Pixel, a piece of code that can be used to measure the effectiveness of ads on Facebook and Instagram, on their websites.
Other healthcare firms have faced large data breaches linked to online trackers too. Last year, Kaiser Foundation Health Plan disclosed a breach that affected 13.4 million current and former plan members, while online mental health company Cerebral reported a breach in 2023 that impacted about 3.2 million people.
