According to a recent report by TheStreet.com, Blue Shield of California has confirmed the largest health care data breach of 2025. The breach involved the unintended sharing of protected health information (PHI) due to a misconfigured implementation of Google Analytics.
Details of the Breach
On April 9, 2025, Blue Shield of California issued a notice stating that a misconfiguration in Google Analytics led to the potential exposure of patient data. The incident occurred between April 2021 and January 2024. During this period, certain PHI was shared with Google Ads and may have been used for targeted advertising.
The potentially exposed data includes:
- Names
- City and ZIP code
- Gender
- Family size
- Medical services information
- “Find a Doctor” search criteria and results
Blue Shield stated that no Social Security numbers, driver’s license numbers, or banking or credit card information were included in the breach.
Scope and Impact
Blue Shield did not confirm any individual instances of exposed data but is notifying all potentially affected users as a precaution. The company reported that 4.7 million patients may have been affected. According to TechCrunch, citing the U.S. Health Department, this is the largest health care-related data breach of the year.
Blue Shield said that no external bad actor was involved and that, to their knowledge, Google has not used the information for purposes other than targeted ads or shared it with third parties. The company advised members to monitor account statements and credit reports for suspicious activity.
Broader Context on Data Privacy
The TheStreet.com report also referenced broader concerns regarding digital privacy. In 2020, a class-action lawsuit was filed against Google alleging it collected data through tools like Google Analytics and Ad Manager, even in Chrome’s “Incognito” mode. In April 2024, Google settled the lawsuit by agreeing to delete billions of records and allow incognito users to block third-party cookies for the next five years.
Google spokesperson Jose Castaneda stated, “We never associate data with users when they use incognito mode,” and said the company was willing to delete old technical data that was not associated with individuals and not used for personalization.
Ongoing Concerns About Data Use
The TheStreet.com article noted additional context from previous years:
- In a 2018 SAS survey, 73% of respondents expressed increased concern about data privacy compared to previous years.
- A 2023 Pew Research Center report indicated that 71% of Americans were concerned about government use of personal data, up from 64% in 2019.
- The same report found that 77% of Americans lacked confidence in social media executives to admit mistakes and be accountable for data mishandling.
Related Incidents
The article referenced past concerns, including a reported remark by Facebook founder Mark Zuckerberg in leaked messages published by Business Insider, where he allegedly referred to early users as “dumb f*cks” for trusting him with their data.
According to HIPAA Journal, which cited data from the Department of Health and Human Services Office for Civil Rights, 2023 saw more health care data breaches than any year since 2009.
Get the latest insurance market updates and discover exclusive program opportunities at ProgramBusiness.com.