The Register

First: the "Blue Cross" and "Blue Shield" are certifications that an insurance company can get that are defined by the Blue Cross and Blue Shield Association. So, this company only got the Shield, but not the Cross. It's a whole thing. I have experience with one who had both, and it's a pain to maintain, but it ensures a lot of quality if done well. It's not always done well.

Second: I've had to have this kind of conversation with a marketing person that you can't even advertise certain things on the member's site about what kinds of doctors or services would be available because you can't share information with others on the plan. If Mom goes to the doctor for fertility, that does not mean she wants Dad to know. Also, if daughter goes to get a procedure done, you can't, unless DIRECTLY AUTHORIZED, tell anyone else in the family. Because the logic for all of that is a bit complicated, we told him in no uncertain terms that it was impossible and we were going to work against him doing it.

I'm still surprised people in Insurance are making these kinds of dumb mistakes. It's not that hard to just protect the data. Yes, breaches happen, but this is them handing it over. Get a few good data analysts and you can develop some really good algorithms, OR develop your own LLM with the user's data. BUT KEEP IT INSIDE OF THE DATACENTER.