In April, Blue Shield of California and New Haven Health System reported the largest breaches of 2025 so far to the HHS Office for Civil Rights (OCR).

• Blue Shield of California reported on April 9, 2025, that 4.7 million individuals were affected by a website tracking function that shared protected health information (PHI) with Google Analytics.
• On April 11, Yale New Haven Health System reported a hacking incident that compromised the PHI of 5.5 million patients.

Blue Shield of California Used Website Pixel Trackers

The company said it “used the third-party vendor service, Google Analytics, to internally track website usage of members who entered certain Blue Shield sites.”

“On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google’s advertising product, Google Ads, that likely included protected health information.”

The company also noted that Google may have used this data to conduct focused ad campaigns targeting individual members.

Blue Shield said the data exposed included insurance plan name, type and group number; city; zip code; gender; family size; Blue Shield assigned identifiers for members’ online accounts; medical claim service date and service provider, patient name, and patient financial responsibility; and “Find a Doctor” search criteria and results (location, plan name and type, provider name and type).

Website Pixel Trackers May Violate HIPAA

News of pixel tracking functions on healthcare websites broke into mainstream media in 2022 after several healthcare data breaches were reported to OCR. Pixel tracking is everywhere on the internet, and yet nearly invisible.

For healthcare organizations, the problem with pixel tracking is that sharing personal information with third parties like Google Analytics (and other advertisers) is not authorized by patients who use the websites, so the sharing potentially violates HIPAA. OCR has published a bulletin about the use of website pixel trackers, cautioning regulated entities to ensure they follow HIPAA.

The Federal Trade Commission (FTC) also intervened, taking its own enforcement actions related to pixel trackers.

Dozens of private class action lawsuits are pending related to breach of privacy caused by website pixel trackers.

Yale New Haven Health System Was Hacked

Yale New Haven Health System (Yale New Haven) reported that it discovered unusual activity affecting its IT network on March 8, 2025. Its investigation revealed that an unauthorized third party accessed its network and obtained copies of patient information.

Yale New Haven is the second-largest employer in Connecticut, with 31,000 employees. It operates five hospitals and a physician group practice of primary care and medical specialists.

According to Yale New Haven, the information compromised varies by patient, but may include demographic information (such as name, date of birth, address, telephone number, email address, race or ethnicity), Social Security number, patient type, and/or medical record number. Its electronic medical record system was not involved or accessed, and no financial accounts, payment information, or employee HR information were exposed.

The HIPAA question for Yale New Haven will be whether it took adequate steps to safeguard the patient data in its care? Did it follow the HIPAA Security Rule, and conduct an annual Risk Analysis? Did it train its workforce?

Class Action Lawsuits and Investigations

Healthcare data breaches are expensive.

Nearly all healthcare data breaches of this size are potential class action lawsuits. Both of these incidents are already the subject of plaintiffs’ law firms advertisements for potential clients. An example of a typical solicitation is: “We would like to speak with you about your rights and potential legal remedies in response to this data breach.”

In addition to private lawsuits, both companies can expect to be investigated by OCR for potential HIPAA violations.

State Attorneys General may also investigate. California and Connecticut have been aggressive protectors of consumer and patient privacy under state privacy and consumer protection laws. For example, see a recent statement from Connecticut Attorney General William Tong, and a March announcement from California Attorney General Rob Bonta about investigations related to location data sharing and the California Consumer Privacy Act.

Reduce Risks With Compliance

You can safeguard patient data and reduce your risk of exposure by paying close attention to HIPAA requirements. Not every breach is avoidable, but taking defensive measures to reduce the likelihood of breaches will strengthen your defense against hackers, and help defend investigations and lawsuits if breaches occur.