Blue Defend of California disclosed it suffered a data breach after exposing protected well being data of 4.7 million members to Google’s analytics and commercial platforms.
The nonprofit well being plan, which serves almost 6 million members throughout California, printed a data breach notification on its web site stating that member information was uncovered between April 2021 and January 2024.
At this time, the United States Division of Well being and Human Providers breach portal was up to date to state that the leak uncovered 4.7 million members’ protected well being information.
In accordance with the discover, the publicity was attributable to a misconfiguration of Google Analytics on sure Blue Defend websites. This resulted within the delicate information probably being shared with Google promoting platforms and advertisers.
“On February 11, 2025, Blue Defend found that, between April 2021 and January 2024, Google Analytics was configured in a method that allowed sure member information to be shared with Google’s promoting product, Google Adverts, that doubtless included protected well being data,” reads the discover.
“Google might have used this information to conduct centered advert campaigns again to these particular person members.”
The information sorts uncovered because of the misconfiguration embody:
- Insurance coverage plan title
- Kind and group quantity
- Metropolis and zip code
- Gender
- Household dimension
- Blue Defend assigned identifiers for members’ on-line accounts
- medical declare service date and repair supplier, affected person title, and affected person monetary duty
- “Discover a Physician” search standards and outcomes (location, plan title and kind, supplier title and kind)
Blue Defend famous that different private data, resembling Social Safety numbers, driver’s license numbers, banking, and bank card data, weren’t uncovered because of this incident.
Nonetheless, it is strongly recommended that members keep vigilant and intently monitor their account statements and credit score studies to establish unauthorized/suspicious exercise.
The group has not supplied id theft safety providers, and it is unclear whether or not particular person notices can be despatched to impacted members sooner or later.
That is the second large-scale IT incident disclosed by Blue Defend of California in beneath a yr.
Final yr, almost a million well being plan members had their information stolen by BlackSuit ransomware actors who breached the group’s software program options supplier, Connexure (previously Younger Consulting).
