Blue Shield says it shared health info on up to 4.7M patients with Google Ads US health insurance giant Blue Shield of California handed sensitive health information belonging to as many as 4.7 million members to Google's advertising empire, likely without these individuals' knowledge or consent. The data shared may have included medical claim dates and providers used, which raises the specter of Google …
Why only CA? Surely this ought to be a federal issue ...
Hmm you've got that DOGGIE thing and a President running roughshod over everything. However, you do have existing legislation and HIPAA has already been mentioned. That needs enforcing. No matter how many laws you have, you do need enforcement too.
https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
Nope. I should know: my CA based employer is trying to apply its CA privacy notice to its EU employees, and my union's lawyer confirmed there's plenty in there that's simply not good.
The weasely words that are acceptable in the US, such as the typical "except when prohibited by law" don't work. The GDRP requires clear wording, easy to understand, not legalese mishmash.
"As well as ... Enforcement!"
That's the big stumbling point. Politicians pass new laws all of the time with no mechanism to enforce them. Call the local police and it's "nothing we can do about that, mate". Call the FBI and they'll say it's a State law and outside of their mandate. Highway Patrol, maybe?
If a consumer files a lawsuit, chances are that it will get preempted since that person agreed in their contract to arbitration so any first step would be to petition a court to void that clause so it can be filed in a real court. How many billable hours with an attorney will that be?
The UK DPA 1.0, back in the 80s had a provision that the Information Commissioner could order a company to stop processing data as the ultimate sanction. In effect that meant it could close down a company that depended on processing data. I'm not aware of it being used but as breaches become more and more egregious having and occasionally using such a provision would be better than fines at any level.
At least for the insurance provider, I've got a better idea:
In the event of a major privacy breach, the insurer is now REQUIRED to rubber-stamp and allow ALL claims for a minimum period of a year, up to "many" years depending on the scope and how long it went undetected, and MAY NOT alter insurance rates for any insured person based on such claims OR medical conditions found or treated during that time.
If they looked elsewhere, they'd find a lot more of this going on as there's not a healthcare profile for all the small portals for labs, hospitals, and clinics. I know there's one provider that when I have an upcoming appointment... I start getting cold calls for medical equipment scams that always stop the day after my appointment. And ads for medical insurance. But I'm sure that's not related, right?
And the responsibility lies with the often-tech-incompetent healthcare providers to realize they are giving this data away. Or maybe the IT company is selling it for them? How would they even know?
How does Google get away with this? The information has been illegally sent per HIPPA so the data is stolen goods. Surely at least this is wire fraud in the US. Google might receive this data but it no right to use it so it should (a) not he using it and (b) alert the company it got it from and sort their configuration out.
This is Director level fines.
Google Analytics was configured in a way that allowed certain member data to be shared with Google's advertising product, Google Ads, that likely included protected health information"
In other words, "Blue Cross/Blue Shield negligently allowed Google's dynamically-loaded code, which BC/BS had no idea what the hell it did, to run on BC/BS's web servers and, among other things, exfiltrate Protected Health Information."
FALCON PUNCH!
(Wasn’t me that downvoted you, btw)
On my iPhone I use the iCab browser. Yes, it’s a re-skin of WebKit like just about every other browser on this benighted platform, but it does at least have (black/whitelist) blocking capabilities for ads and other unwanted content, as well as browser agent spoofing.
This is a massive HIPAA violation. Blue Shield customers should sue it into oblivion.
And then move on to all the other US health care "providers".
I put "providers" in scare quotes, because the entire business model of health insurance is not to provide insurance, but to deny it.
They will be sued. But it'll be a class action that will make a headline of millions. However most of that will go to lawyers and the victims will get enough to buy a Happy Meal.
What should happen, in any respectable place, is if a company fails so entirely to respect any sense of patient confidentiality, they're shut down. No if/but/maybe. There's an implied duty of care with medical records and sharing any of that with random third party advertisers ought to be a business ending event (and ban mangement from holding managerial positions for an appropriate length of time).
> the victims will get enough to buy a Happy Meal.
Equally likely the victims will get a "free" year of "credit monitoring" or some other such thing, with an auto-subscribe tender at the end, so the victims become paying "customers" of whatever credit agency is involved, as well as being their product.
With prices and taxiffs on the rise, the price of a Happy Meal may not be such a bad thing by comparison. Hmm, now I want some french fries....
Surely knowingly receiving HIPAA-protected information is just as wrong (if not more so) as accidentally releasing it. Shouldn't Google be held responsible for accepting any health-related data from any insurance company, hospital, provider, etc? A fine of few percent of global turnover should send the right message. If not, a few tens of percent...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
