Blue Shield of California leaked the personal data of 4.7 million people to Google after a Google Analytics misconfiguration. The tech giant may have used this data for targeted advertising, according to Blue Shield, which is one of the largest health insurers in the US.
In a data breach notice on its website, Blue Shield says it had begun notifying “certain members of a potential data breach that may have included elements of their protected health information.”
Blue Shield a nonprofit health insurer serving nearly 6 million members, used Google Analytics to monitor how customers interacted with its websites to improve services. However, a configuration error in Google Analytics allowed sensitive member data to spill to Google Ads, potentially exposing customer data for almost three years. This likely included protected health information.
Blue Shield stated, “Google may have used this data to show targeted ad campaigns to individual members.”
The transmission of data took place between April 2021 and January 2024. The leaked information includes various details such as the type of health insurance plan, postal code and city, gender, family size, account IDs, names of insured persons, and search queries related to finding a doctor, which could reveal members’ health concerns or needs.
Blue Shield said there was no leak of other types of personal information, such as Social Security numbers, driver’s license numbers, or banking or credit card information.
After discovering the leak, Blue Shield said it reviewed all its websites to ensure no other tracking software was sharing protected health information with third parties.
Usually in a data breach we can point at cybercriminals that went out of their way to obtain the data. In this case, a simple misconfiguration shared data with an entity—that already knows so much about us—that then used the information for targeted advertising.
Maybe this case can serve as a cautionary tale about using analytics tools in areas where misconfigurations can lead to severe privacy violations, especially when sensitive data is involved.
Blue Shield is notifying all customers who may have accessed their member information on the potentially impacted Blue Shield websites during the relevant time frame.
Protecting yourself after a data breach
There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.
- Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice they offer.
- Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
- Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
- Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify the identity of anyone who contacts you using a different communication channel.
- Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
- Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.
Check your digital footprint
Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.
