Medical insurance large Blue Defend of California is notifying hundreds of thousands of individuals of a knowledge breach. The corporate confirmed on Wednesday that it had been sharing sufferers’ personal well being data with tech and promoting large Google since 2021.
The insurer said that the info sharing stopped in January 2024, however it solely realized this February that the years-long assortment contained sufferers’ private and delicate well being data.
Blue Defend stated it used Google Analytics to trace how its prospects used its web sites, however a misconfiguration had allowed for private and well being data to be collected as properly, such because the search phrases that sufferers used on its web site to seek out healthcare suppliers.
The insurance coverage large stated Google “might have used this knowledge to conduct centered advert campaigns again to these particular person members.”
Blue Defend stated the collected knowledge additionally included insurance coverage plan names, varieties and group numbers, together with private data akin to sufferers’ metropolis, zip code, gender and household dimension. Particulars of Blue Defend-assigned member account numbers, declare service dates and repair suppliers, affected person names and sufferers’ monetary duty have been additionally shared.
Per a legally required disclosure with the U.S. authorities’s well being division, Blue Defend of California stated it’s notifying 4.7 million people affected by the breach. The breach is assumed to have an effect on the vast majority of its prospects; Blue Defend had 4.5 million members as of 2022.
It’s not instantly clear if Blue Defend requested Google to delete the info, or if Google has complied. Spokespeople for Blue Defend and Google didn’t instantly reply to requests for remark.
Blue Defend is the newest healthcare firm to be caught out by way of on-line monitoring applied sciences. On-line trackers are small snippets of code, typically offered by tech giants, designed to gather details about a prospects’ searching exercise by being embedded in cellular apps and web sites. Tech and social media firms are normally the sources of those trackers, as they depend on the info for promoting and to drive the vast majority of their revenues.
Final yr, U.S. medical health insurance large Kaiser notified greater than 13 million those that it had been sharing sufferers’ knowledge with advertisers together with Google, Microsoft and X, after embedding monitoring code on its web site.
A number of different rising healthcare firms, together with psychological well being startup Cerebral and alcohol restoration startups Monument and Tempest, have disclosed previous breaches involving the sharing of sufferers’ private and well being data with promoting corporations.
The breach at Blue Defend of California at present stands as the biggest healthcare-related knowledge breach of 2025 thus far, per the U.S. well being division’s Workplace of Civil Rights.