back to article Blue Shield says it shared health info on up to 4.7M patients with Google Ads

US health insurance giant Blue Shield of California handed sensitive health information belonging to as many as 4.7 million members to Google's advertising empire, likely without these individuals' knowledge or consent. The data shared may have included medical claim dates and providers used, which raises the specter of Google …

  1. alain williams Silver badge

    This is why California needs a GDPR type law

    It needs much stronger data protection laws than exist in the USA.

    Both Blue Shield & Google top executives should receive massive fines if this is shown to be true. Fining the corporation will not change future behaviour.

    1. sedregj Bronze badge
      Gimp

      Re: This is why California needs a GDPR type law

      Why only CA? Surely this ought to be a federal issue ...

      Hmm you've got that DOGGIE thing and a President running roughshod over everything. However, you do have existing legislation and HIPAA has already been mentioned. That needs enforcing. No matter how many laws you have, you do need enforcement too.

      https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

    2. UnknownUnknown Silver badge

      Re: This is why California needs a GDPR type law

      Que ??

      https://en.m.wikipedia.org/wiki/California_Consumer_Privacy_Act

      Largely a Cut’n’paste job of GDPR.

      1. Anonymous Coward
        Anonymous Coward

        Re: This is why California needs a GDPR type law

        Nope. I should know: my CA based employer is trying to apply its CA privacy notice to its EU employees, and my union's lawyer confirmed there's plenty in there that's simply not good.

        The weasely words that are acceptable in the US, such as the typical "except when prohibited by law" don't work. The GDRP requires clear wording, easy to understand, not legalese mishmash.

        1. O'Reg Inalsin

          Re: This is why California needs a GDPR type law

          As well as ... Enforcement!

          1. MachDiamond Silver badge

            Re: This is why California needs a GDPR type law

            "As well as ... Enforcement!"

            That's the big stumbling point. Politicians pass new laws all of the time with no mechanism to enforce them. Call the local police and it's "nothing we can do about that, mate". Call the FBI and they'll say it's a State law and outside of their mandate. Highway Patrol, maybe?

            If a consumer files a lawsuit, chances are that it will get preempted since that person agreed in their contract to arbitration so any first step would be to petition a court to void that clause so it can be filed in a real court. How many billable hours with an attorney will that be?

    3. Doctor Syntax Silver badge

      Re: This is why California needs a GDPR type law

      The UK DPA 1.0, back in the 80s had a provision that the Information Commissioner could order a company to stop processing data as the ultimate sanction. In effect that meant it could close down a company that depended on processing data. I'm not aware of it being used but as breaches become more and more egregious having and occasionally using such a provision would be better than fines at any level.

    4. Anonymous Coward
      Anonymous Coward

      Re: should receive massive fines

      At least for the insurance provider, I've got a better idea:

      In the event of a major privacy breach, the insurer is now REQUIRED to rubber-stamp and allow ALL claims for a minimum period of a year, up to "many" years depending on the scope and how long it went undetected, and MAY NOT alter insurance rates for any insured person based on such claims OR medical conditions found or treated during that time.

  2. Anonymous Coward
    Anonymous Coward

    Targeted advertising

    "Google may have used this data to conduct focused ad campaigns back to those individual members,"

    Ok, give me 50%, NDA, and we are quits. My partners will appreciate. And I will use the technology myself.

  3. Anonymous Coward
    Anonymous Coward

    They aren't looking

    If they looked elsewhere, they'd find a lot more of this going on as there's not a healthcare profile for all the small portals for labs, hospitals, and clinics. I know there's one provider that when I have an upcoming appointment... I start getting cold calls for medical equipment scams that always stop the day after my appointment. And ads for medical insurance. But I'm sure that's not related, right?

    And the responsibility lies with the often-tech-incompetent healthcare providers to realize they are giving this data away. Or maybe the IT company is selling it for them? How would they even know?

    1. FirstTangoInParis Silver badge

      Re: They aren't looking

      How does Google get away with this? The information has been illegally sent per HIPPA so the data is stolen goods. Surely at least this is wire fraud in the US. Google might receive this data but it no right to use it so it should (a) not he using it and (b) alert the company it got it from and sort their configuration out.

      This is Director level fines.

  4. An_Old_Dog Silver badge
    Flame

    Translation

    Google Analytics was configured in a way that allowed certain member data to be shared with Google's advertising product, Google Ads, that likely included protected health information"

    In other words, "Blue Cross/Blue Shield negligently allowed Google's dynamically-loaded code, which BC/BS had no idea what the hell it did, to run on BC/BS's web servers and, among other things, exfiltrate Protected Health Information."

    FALCON PUNCH!

  5. Pascal Monett Silver badge

    Ach, one word too many there

    "Upon discovering the issue, Blue Shield immediately initiated a review of its websites and security protocols to ensure that no other analytics tracking software is impermissibly sharing members' protected health information"

    FTFY

    1. BebopWeBop
      Holmes

      Re: Ach, one word too many there

      Maybe you should add 'without a revenue stream for Blue Shield'?

  6. Anonymous Coward
    Anonymous Coward

    "While we're all used to hyper-personalized ads following us around the web"

    Not really. I've been using ad blockers ever since they were created. I've seen browsers without one a couple of times: I'm definitely not used to that mess.

    1. Antron Argaiv Silver badge

      uBlock and NoScript keep me from seeing ads. When I want to buy something, I'll go looking for it, thanks. My iPhone won't let me block ads, and the few times I have tried to use its browser, I have been so bombarded with ads, I now avoid it at all costs.

      1. Anonymous Coward
        Anonymous Coward

        You need to disable JavaScript in Safari under Advanced Settings for Safari and all the ads will magically disappear.

        The only ads I see are static ads built into a website that are not personalized.

        1. David 132 Silver badge

          (Wasn’t me that downvoted you, btw)

          On my iPhone I use the iCab browser. Yes, it’s a re-skin of WebKit like just about every other browser on this benighted platform, but it does at least have (black/whitelist) blocking capabilities for ads and other unwanted content, as well as browser agent spoofing.

  7. JacobZ

    Blue Shield should be sued into oblivion

    This is a massive HIPAA violation. Blue Shield customers should sue it into oblivion.

    And then move on to all the other US health care "providers".

    I put "providers" in scare quotes, because the entire business model of health insurance is not to provide insurance, but to deny it.

    1. heyrick Silver badge
      Mushroom

      Re: Blue Shield should be sued into oblivion

      They will be sued. But it'll be a class action that will make a headline of millions. However most of that will go to lawyers and the victims will get enough to buy a Happy Meal.

      What should happen, in any respectable place, is if a company fails so entirely to respect any sense of patient confidentiality, they're shut down. No if/but/maybe. There's an implied duty of care with medical records and sharing any of that with random third party advertisers ought to be a business ending event (and ban mangement from holding managerial positions for an appropriate length of time).

      1. Anonymous Coward
        Anonymous Coward

        Re: Blue Shield should be sued into oblivion

        > the victims will get enough to buy a Happy Meal.

        Equally likely the victims will get a "free" year of "credit monitoring" or some other such thing, with an auto-subscribe tender at the end, so the victims become paying "customers" of whatever credit agency is involved, as well as being their product.

        With prices and taxiffs on the rise, the price of a Happy Meal may not be such a bad thing by comparison. Hmm, now I want some french fries....

    2. Andrew Scott Bronze badge

      Re: Blue Shield should be sued into oblivion

      without blue cross blue shield i'd probably be dead. they are probably one of the better medical insurance companies. It sound like you've seen "rainmaker" too many times.

  8. Anonymous Coward
    Anonymous Coward

    Why no mention of penalizing Google?

    Surely knowingly receiving HIPAA-protected information is just as wrong (if not more so) as accidentally releasing it. Shouldn't Google be held responsible for accepting any health-related data from any insurance company, hospital, provider, etc? A fine of few percent of global turnover should send the right message. If not, a few tens of percent...

    1. pc-fluesterer.info
      Alien

      Re: Why no mention of penalizing Google?

      Nice dream ...

  9. Henry Wertz 1 Gold badge

    California

    Basically this news wouldn't have even come out if it weren't for CA having stronger privacy laws than the rest of the US. I'm sure this affects people in the other 49 states, but they aren't required to disclose it so they won't.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like