Blue Defend of California disclosed it suffered a knowledge breach after exposing protected well being info of 4.7 million members to Google’s analytics and commercial platforms.
The nonprofit well being plan, which serves practically 6 million members throughout California, printed a knowledge breach notification on its web site stating that member knowledge was uncovered between April 2021 and January 2024.
As we speak, the United States Division of Well being and Human Providers breach portal was up to date to state that the leak uncovered 4.7 million members’ protected well being knowledge.
In accordance with the discover, the publicity was brought on by a misconfiguration of Google Analytics on sure Blue Defend websites. This resulted within the delicate knowledge probably being shared with Google promoting platforms and advertisers.
“On February 11, 2025, Blue Defend found that, between April 2021 and January 2024, Google Analytics was configured in a manner that allowed sure member knowledge to be shared with Google’s promoting product, Google Advertisements, that doubtless included protected well being info,” reads the discover.
“Google might have used this knowledge to conduct centered advert campaigns again to these particular person members.”
The info varieties uncovered because of the misconfiguration embrace:
- Insurance coverage plan title
- Sort and group quantity
- Metropolis and zip code
- Gender
- Household measurement
- Blue Defend assigned identifiers for members’ on-line accounts
- medical declare service date and repair supplier, affected person title, and affected person monetary duty
- “Discover a Physician” search standards and outcomes (location, plan title and kind, supplier title and kind)
Blue Defend famous that different private info, similar to Social Safety numbers, driver’s license numbers, banking, and bank card info, weren’t uncovered because of this incident.
Nonetheless, it’s endorsed that members keep vigilant and carefully monitor their account statements and credit score studies to determine unauthorized/suspicious exercise.
The group has not supplied identification theft safety companies, and it is unclear whether or not particular person notices can be despatched to impacted members sooner or later.
That is the second large-scale IT incident disclosed by Blue Defend of California in beneath a 12 months.
Final 12 months, practically a million well being plan members had their knowledge stolen by BlackSuit ransomware actors who breached the group’s software program options supplier, Connexure (previously Younger Consulting).
