HIPAA://google.com I got an e-mail today, that a vendor I have used in the past had a data breach, and at least some of the information they have on me was exposed. I mean, it's 2025 and that kind of thing happens literally every day. What's different this time, though, is that it wasn't a malicious actor who took the data. Nor was it the vendor acting carelessly, or even unreasonably. This data breach -- of heathcare data, at that -- was caused by the normal course of business. Again, of course. It's 2025. Notice of Data Breach Dear Gregory, We are writing to inform you about a potential data breach. It is reasonably believed that certain elements of your protected health information may have been accessed, acquired, used, or disclosed to a third party. Due to the complexity and scope, we are unable to confirm whether your specific information was affected but are sending this notice out of an abundance of caution. Blue Shield assures you that we take this matter very seriously. We have taken measures to safeguard against similar future disclosures. What Happened Like other health plans, Blue Shield historically used the third-party vendor service, Google Analytics, to internally track website usage of members who entered certain Blue Shield sites. We were doing this to improve the services we provide to our members. On February 11, 2025, Blue Shield discovered that, between April 2021 and January 2024, Google Analytics was configured in a way that allowed certain member data to be shared with Google's advertising product, Google Ads, that likely included protected health information. Google may have used this data to conduct focused ad campaigns targeted back to you. We want to reassure you no bad actor was involved, and, to our knowledge, Google has not used your information for any purpose other than these ads or shared your protected information with anyone. [More removed.] Ha ha! Fun! My former healthcare provider used a Google product, and -- just as a matter of course -- that Google product hoovered up every piece of data it was exposed to, and then used it to target ads at me. All those sidebar come-ons for rectal itch cream suddenly make sense. Blue Shield says that "no bad actor was involved," but is that really true? Shouldn't a product that, apparently by default, takes literally anything it can -- privacy be damned -- and tosses it into the old ad-o-matic not be considered the output of a bad actor? I guess it depends if you're defining "bad" as "illegal" or "unethical." I know which I'm using. Blue Shield also says that "to our knowledge, Google has not used your information for any purpose other than these ads or shared your protected information with anyone." Which isn't as reassuring as their lawyers probably think it is. To my knowledge, Google isn't building data centers powered by ground puppies, so whew. There have been lots and lots (and lots and lots) of commentary and complaints about the Google Omni-Maw and its endless, voracious consumption, but when a major healthcare provider uses a seemingly innocuous Google product and manages to get HIPAA violations all over every one of their clients... that seems bad. In my sense of the word, not Blue Shield's. Call me a privacy-obsessed weirdo, but it seems that "mine-mine-mine-gimmie" is an unreasonable default configuration for a product, and an immoral default configuration for a company. I wonder how much Gemini knows about my lumbago? ★