Blue Shield of California is facing a class action lawsuit after allegations surfaced regarding the improper sharing of patient data through Google Analytics. The lawsuit, filed in San Diego County Superior Court on April 14, 2025, accuses the health insurer of violating the California Confidentiality of Medical Information Act.
The class action lawsuit, filed by plaintiff Andrew Brown, claims that Blue Shield’s actions resulted in the “negligent maintenance and disclosure” of confidential medical information of its insured members. The lawsuit alleges that the insurer’s use of Google Analytics, which was linked to Google Ads, exposed sensitive personal health data between April 2021 and January 2024.
According to Blue Shield’s April 9, 2025 announcement, the breach occurred when Google Analytics was inadvertently configured in a way that allowed personal data, including protected health information (PHI), to be shared with Google’s advertising services. The health data disclosed reportedly included members’ insurance plan details, gender, ZIP code, medical claim dates, and provider information.
Blue Shield of California, one of the largest health insurers in the state, reported that the data breach had been traced back to an issue with Google Analytics and was rectified in January 2024. However, plaintiff Andrew Brown alleges that Blue Shield was aware of the breach as early as January 2024 and failed to notify its members for over a year.
The lawsuit highlights that Blue Shield’s use of Google Analytics and the subsequent linking to Google Ads was a deliberate business decision, which led to the unauthorized sharing of sensitive health information. The plaintiff claims that Blue Shield neglected its duty to protect its insured members’ PHI and failed to take adequate security measures to safeguard this confidential data.
“The breach of protected health information would not have occurred if Blue Shield had not given Google access to the data,” the lawsuit states. The plaintiff argues that Blue Shield placed its business interests above the responsibility to protect its members’ privacy.
In response to the breach, Blue Shield has reassured members that it has severed the connection between Google Analytics and Google Ads and that no further data was shared after January 2024. The insurer has also launched a review of its security protocols to prevent further breaches.
Andrew Brown, who has been a Blue Shield member since 2019, seeks to represent a class of California residents whose data was exposed in the breach. The class action includes claims under California’s Unfair Competition Law and requests for damages, injunctive relief, and attorney fees.
