Millions impacted by data breaches at Blue Shield of California, mammography service and more

The sensitive healthcare information of millions in the U.S. has been leaked through data breaches that multiple insurance companies, clinics, hospitals and more reported recently.

The largest involves Blue Shield of California, which informed the U.S. Department of Health and Human Services (HHS) of an incident impacting 4.7 million people. 

In breach notification letters and in a notice on its website, the insurer said that from April 2021 to January 2024, it used Google Analytics to internally track website usage of members who entered certain Blue Shield sites.

In February, the company realized that Google Analytics “was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information.” 

“Google may have used this data to conduct focused ad campaigns back to those individual members. We want to reassure our members that no bad actor was involved, and, to our knowledge, Google has not used the information for any purpose other than these ads or shared the protected information with anyone,” the company said. 

The information shared with Google includes insurance plan name; group number; zip code; gender; family information; online account numbers; medical claim service dates; names; “Find a Doctor” search criteria and results; and more.

Blue Shield of California said it ended the connection between Google Analytics and Google Ads on its websites in January 2024. 

Google did not respond to requests for comment about whether the data that was collected has been deleted or where it currently is. 

Tech and healthcare companies’ use of patient data for advertising has been a persistent issue for more than five years. 

The Federal Trade Commission (FTC) and HHS previously sent a joint letter to about 130 hospital systems and telehealth providers warning of security risks posed by tracking technologies such as the Meta/Facebook Pixel and Google Analytics.

The agencies cautioned that such technologies, typically embedded in websites and mobile apps, collect users’ identifiable information in ways that are hard for consumers to avoid. The agency also said users are often unaware that their health data is disclosed to third parties as a result of the tracking.

Companies like Kaiser, BetterHelp, GoodRx, Premom and Flurry have faced massive penalties for either harvesting sensitive healthcare data or sharing it with third-party vendors like Google.

But last year, the federal government backed off new regulations it had issued to limit hospitals’ deployment of web-tracking tools after a federal court ruled that the Biden administration’s efforts to restrict the use of online trackers by hospitals and other health providers were illegal.

Other incidents emerge in April

Other healthcare organizations have flooded state regulators with notices of data leaks exposing hundreds of thousands of individuals’ information. 

Since the beginning of April, at least 17 healthcare organizations have reported breaches to regulators in Maine — with several surpassing more than 100,000 victims. 

Just in the last week, Onsite Mammography, Kelly & Associates Insurance Group, Behavioral Health Resources, Hamilton Health Care System, Central Texas Pediatric Orthopedics and Medical Express Ambulance Service have all reported data breaches resulting from cyberattacks. 

Several of these breaches have been claimed by ransomware gangs who plan to leak the stolen data or already have. 

The attack on Onsite Mammography, announced on Monday, impacted 357,265 people and included names, Social Security numbers, medical records and other health information.

The sensitivity of the leaked data has already prompted potential class action lawsuits.