In a significant disclosure, Blue Shield of California has admitted that a misconfiguration of its Google Analytics account led to the exposure of personal health information for approximately 4.7 million subscribers. This incident has raised pressing questions about the security measures organizations must implement when utilizing third-party services.
Brandon Evans, a senior instructor at the SANS Institute and a consultant based in Tennessee, underscored two vital lessons from this breach. First, he emphasized the importance of thoroughly reading documentation for any third-party service to understand the security and privacy controls in place. Second, it is crucial for organizations to monitor the type of data being collected and ensure that nothing confidential is shared inadvertently. According to Evans, “These giant platforms make it easy for you to share your data across their various services, so it’s essential to check the settings carefully.”
The breach, reported by Blue Shield, stemmed from Google Analytics being configured to permit some data sharing with Google Ads, which occurred between April 2021 and January of this year. Notably, the exposed data included details such as insurance plan names, gender, family size, and more, yet the company emphasized that sensitive information such as Social Security numbers or banking details was not compromised. For more information, the company’s statement can be accessed here.
Evans expressed his confusion over the data collection process, remarking, “Usually, Google Analytics measures a person’s use of a website. Why would it have collected personal and health information?” In discussing cloud security, he noted that common misconfigurations can plague organizations, causing significant risks that ultimately fall on the Chief Information Security Officers (CISOs). These vulnerabilities, exacerbated by the complexity of managing numerous services, can lead to unintentional data exposure.
Further complicating the situation, Esnar Seker, CISO at SOCRadar, advised that organizations must not only be wary of sharing information with third parties but should also devise a robust threat model. According to Seker, “When configuring Google Analytics, you must ensure that no sensitive data is accidentally passed into tracking codes.” This follows a trend where even passive data collection can lead to compliance failures.
Google has responded by stating that businesses are responsible for managing their data. A spokesperson reiterated that data sent to Google Analytics does not identify individuals by default and that the company maintains policies against collecting Private Health Information. For additional insights on privacy controls within Google Analytics, read more here.