On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information. Google may have used this data to conduct focused ad campaigns back to those individual members.
Blue Shield severed the connection between Google Analytics and Google Ads on its websites in January 2024.
What information was involved
- Insurance plan name, type and group number;
- city;
- zip code;
- gender;
- family size;
- Blue Shield assigned identifiers for members’ online accounts;
- medical claim service date and service provider, patient name, and patient financial responsibility;
- “Find a Doctor” search criteria and results (location, plan name and type, provider name and type).
It’s quite possible to self host this stuff.
As a web developer that blocks all this shit, that’s the line I always use. I would just use first-party analytics from the same domain the website is hosted from. The added bonus is that people like me wouldn’t even be able to block it without blocking the entire website (at least with DNS).