{"id":2936,"date":"2025-04-25T02:20:37","date_gmt":"2025-04-25T02:20:37","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2936"},"modified":"2025-04-25T02:20:37","modified_gmt":"2025-04-25T02:20:37","slug":"lesson-from-huge-blue-shield-california-data-breach-read-the-manual","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2936","title":{"rendered":"Lesson from huge Blue Shield California data breach: Read the manual"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs can learn two lessons from a US health insurance provider\u2019s admission this month that misconfiguring Google Analytics led to the disclosure of personal health information of 4.7 million subscribers, says an expert.<\/p>\n

Those lessons, according to Brandon Evans, a senior instructor at the SANS Institute and a Tennessee-based independent security consultant, boil down to this:<\/p>\n

read the documentation of any third party service you sign up for, to understand the security and privacy controls;<\/p>\n

know what data is being collected from your organization, and what you don\u2019t want shared.<\/p>\n

\u201cIt\u2019s important to understand these giant platforms make it easy for you to share your data across their various services,\u201d he said. \u201cSo look out for settings to share data that you may not intend to share.\u201d<\/p>\n

Evans was commenting on Blue Shield of California\u2019s admission<\/a> that, because its Google Analytics service was configured to allow some data to be shared with Google Ads, between April 2021 and January of this year a wide range of its data may have been used for targeted ads. According to the US Department of Health and Human Services\u2019 web site,<\/a> the data of 4.7 million members was exposed.<\/p>\n

That information included members\u2019 insurance plan name, type, and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members\u2019 online accounts; medical claim service date and service provider, patient name, patient financial responsibility; and \u201cFind a Doctor\u201d search criteria and results (such as location, plan name and type, provider name and type).<\/p>\n

There was\u00a0no disclosure\u00a0of other types of personal information, such as Social Security numbers, driver\u2019s license numbers, or banking or credit card information, Blue Shield of California stressed.<\/p>\n

This puzzled Evans. Usually, he said, Google Analytics measures a person\u2019s use of a web site. Why, he wondered, would it have collected personal and health information.<\/p>\n

Asked for comment about how the misconfiguration happened and what IT admins could do to prevent this happening to them, Blue Shield of California referred CSO to the company\u2019s statement about the incident.<\/a><\/p>\n

Common cloud misconfigurations\u00a0\u00a0<\/h2>\n

Misconfigurations by admins<\/a>, including insecure default software settings, enabling unnecessary features, giving users overly permissive access, and insecure API configurations \u2013 give CISOs grey hairs.<\/p>\n

\u201cThis kind of thing happens all the time and is an inherent risk in using services provided by companies who work in many areas,\u201d Evans said in an interview, noting that he\u2019s not surprised at the Blue Shield of California incident. \u201cGoogle does everything \u2013 they work in advertising, analytics, search, and cloud services. Technically speaking, if you share your data with an organization like Google, it is impossible to guarantee that data will not be used in another context.\u201d<\/p>\n

He noted that they might not intend to use your data, but nothing is stopping them from taking the data you shared in one context and using it in another. <\/p>\n

\u201cEven though Google is a reputable organization that offers its customers extensive security controls, they have a perfectly reasonable incentive to make it easy for customers to share data across Google services,\u201d he said. In fact, Google touts on its web page the benefits of connecting Google Ads to Google Analytics<\/a>.<\/p>\n

On a separate page, Google also details privacy controls in Analytics<\/a>, including explaining how to disable advertising features.<\/p>\n

\u201dIt\u2019s very important [CISOs] review the settings on any platform you use,\u201d Evans said. \u201cWhile Google has an incentive to push you in the direction of using these [data] integrations, they are also, I am certain, very transparent about what these settings do.\u201d So, he said, know how any service\u2019s security and privacy controls work.<\/p>\n

\u201cRegardless of what precautions an admin takes,\u201d he stressed, \u201cif there is a concern by the organization that Google Ads would use this information, they should really consider whether or not they should be using a platform like Google Analytics in the first place. Because from a technical perspective, there is nothing stopping Google from sharing the information across its platform. \u2026 Google definitely gives you a great bunch of controls, but technically speaking, that data is within the walls of that organization, and it\u2019s impossible to know from the outside how that data is being used.\u201d<\/p>\n

The bigger question for a CISO to consider, he added, is whether data sharing with a third party is part of their threat model<\/a>. There is inherent risk in sending data to a cloud provider, he said, but that risk may be outweighed by the benefits of using a reputable cloud provider.<\/p>\n

\u201cFrom a CISO\u2019s perspective, here\u2019s the key,\u201d said Esnar Seker, CISO at SOCRadar: \u201cWhen configuring Google Analytics, you must ensure that no query parameters, form inputs, or dynamic page elements can inadvertently pass sensitive data into the tracking code,\u201d to prevent it from tracking URLs with embedded personal information. For example, he said, if your application generates URLs like example.com\/results?user=JohnDoe&dob=01011990<\/em>, Google Analytics will collect those parameters unless the data is explicitly filtered out.<\/p>\n

Letting Google Analytics capture form field values should also be avoided, he said.\u00a0This includes names, emails, birth dates, or anything classified as personally identifiable information or personal health information. Many sites unintentionally pass these through JavaScript variables that Analytics scripts can pick up, he noted.<\/p>\n

Risk mitigation<\/h2>\n

In the Google Analytics admin console, admins should:<\/p>\n

\u00a0Disable enhanced measurement features like site search tracking or form interactions unless they\u2019re certain they don\u2019t expose sensitive data.<\/p>\n

\u00a0Use filters to strip URL parameters that may contain identifying information.<\/p>\n

\u00a0Limit access to Google Analytics configurations to only those with proper data privacy training, and ensure there\u2019s an infosec sign-off on every implementation or change.<\/p>\n

Never rely on Google Analytics to secure or anonymize your data, Seker added. It is not a security tool. Admins must ensure the data being sent is safe, before it ever reaches Google\u2019s servers.<\/p>\n

\u201cLastly, don\u2019t assume that just because it\u2019s \u2018analytics\u2019, it\u2019s low-risk. Breaches like this prove that even passive tracking can become a major compliance failure.\u201d<\/p>\n

Asked for comment, a Google spokesperson said,\u00a0\u201c<\/em>Businesses, not Google, manage the data they collect, and must inform users about its collection and use. By default, any data sent to Google Analytics for measurement does not identify individuals, and we have strict policies against collecting\u00a0Private Health Information (PHI)<\/a>\u00a0or advertising based on\u00a0sensitive information<\/a>.\u201d\u00a0<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs can learn two lessons from a US health insurance provider\u2019s admission this month that misconfiguring Google Analytics led to the disclosure of personal health information of 4.7 million subscribers, says an expert. Those lessons, according to Brandon Evans, a senior instructor at the SANS Institute and a Tennessee-based independent security consultant, boil down to […]<\/p>\n","protected":false},"author":0,"featured_media":2914,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2936","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2936"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2936"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2936\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2914"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2936"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2936"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2936"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}