Medical health insurance big Blue Defend of California is notifying thousands and thousands of individuals of a data breach. The corporate confirmed on Wednesday that it had been sharing sufferers’ personal well being data with tech and promoting big Google since 2021.
The insurer stated that the information sharing stopped in January 2024, nevertheless it solely realized this February that the years-long assortment contained sufferers’ private and delicate well being data.
Blue Defend stated it used Google Analytics to trace how its prospects used its web sites, however a misconfiguration had allowed for private and well being data to be collected as nicely, such because the search phrases that sufferers used on its web site to seek out healthcare suppliers.
The insurance coverage big stated Google “could have used this information to conduct targeted advert campaigns again to these particular person members.”
Blue Defend stated the collected information additionally included insurance coverage plan names, sorts and group numbers, together with private data resembling sufferers’ metropolis, zip code, gender and household dimension. Particulars of Blue Defend-assigned member account numbers, declare service dates and repair suppliers, affected person names and sufferers’ monetary duty have been additionally shared.
Per a legally required disclosure with the U.S. authorities’s well being division, Blue Defend of California stated it’s notifying 4.7 million people affected by the breach. The breach is believed to have an effect on the vast majority of its prospects; Blue Defend had 4.5 million members as of 2022.
It’s not instantly clear if Blue Defend requested Google to delete the information, or if Google has complied. Spokespeople for Blue Defend and Google didn’t instantly reply to requests for remark.
Blue Defend is the most recent healthcare firm to be caught out by way of on-line monitoring applied sciences. On-line trackers are small snippets of code, typically supplied by tech giants, designed to gather details about a prospects’ searching exercise by being embedded in cell apps and web sites. Tech and social media corporations are normally the sources of those trackers, as they depend on the information for promoting and to drive the vast majority of their revenues.
Final yr, U.S. medical insurance big Kaiser notified greater than 13 million those who it had been sharing sufferers’ information with advertisers together with Google, Microsoft and X, after embedding monitoring code on its web site.
A number of different rising healthcare corporations, together with psychological well being startup Cerebral and alcohol restoration startups Monument and Tempest, have disclosed previous breaches involving the sharing of sufferers’ private and well being data with promoting companies.
The breach at Blue Defend of California presently stands as the biggest healthcare-related data breach of 2025 to date, per the U.S. well being division’s Workplace of Civil Rights.
