Blue Protect of California disclosed it suffered an information breach after exposing protected well being info of 4.7 million members to Google’s analytics and commercial platforms.
The nonprofit well being plan, which serves almost 6 million members throughout California, printed an information breach notification on its web site stating that member knowledge was uncovered between April 2021 and January 2024.
At the moment, the United States Division of Well being and Human Companies breach portal was up to date to state that the leak uncovered 4.7 million members’ protected well being knowledge.
Supply: ocrportal.hhs.gov
In response to the discover, the publicity was attributable to a misconfiguration of Google Analytics on sure Blue Protect websites. This resulted within the delicate knowledge doubtlessly being shared with Google promoting platforms and advertisers.
“On February 11, 2025, Blue Protect found that, between April 2021 and January 2024, Google Analytics was configured in a method that allowed sure member knowledge to be shared with Google’s promoting product, Google Adverts, that seemingly included protected well being info,” reads the discover.
“Google might have used this knowledge to conduct centered advert campaigns again to these particular person members.”
The info sorts uncovered because of the misconfiguration embody:
Insurance coverage plan identify
Sort and group quantity
Metropolis and zip code
Gender
Household measurement
Blue Protect assigned identifiers for members’ on-line accounts
medical declare service date and repair supplier, affected person identify, and affected person monetary duty
“Discover a Physician” search standards and outcomes (location, plan identify and sort, supplier identify and sort)
Blue Protect famous that different private info, akin to Social Safety numbers, driver’s license numbers, banking, and bank card info, weren’t uncovered because of this incident.
Nonetheless, it is suggested that members keep vigilant and carefully monitor their account statements and credit score stories to establish unauthorized/suspicious exercise.
The group has not provided identification theft safety providers, and it is unclear whether or not particular person notices will probably be despatched to impacted members sooner or later.
That is the second large-scale IT incident disclosed by Blue Protect of California in underneath a yr.
Final yr, almost a million well being plan members had their knowledge stolen by BlackSuit ransomware actors who breached the group’s software program options supplier, Connexure (previously Younger Consulting).
