Kaiser’s Data Breach: 13.4 Million Affected in Healthcare Conglomerates Privacy Crisis

Kaiser Permanente, the Oakland-based health care conglomerate, is alerting millions of its customers about a potential privacy breach, wherein one of its divisions may have inadvertently disclosed their names, symptom searches, and other data to major tech companies. The incident, originating from a data breach at Kaiser Foundation Health Plan, has impacted the information of over 13 million individuals, as reported to the federal government early this month.

Names, IP Addresses & History Leaked to Third-Party Advertisers

Kaiser Foundation Health Plan, operating under the name Kaiser Permanente, stands as one of the leading healthcare providers in the U.S. According to a legally mandated notice submitted to the U.S. government on April 12 and reported on Thursday, the Kaiser Foundation Health Plan has confirmed that 13.4 million residents had their information compromised in a data breach. The breach involved unauthorized access/disclosure of network server information, whereby patients’ information was shared with third-party advertisers, including Google, Microsoft, and X (formerly Twitter).

Based on a statement, Kaiser disclosed that its internal investigation revealed “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.” The health giant stated that the data shared with advertisers comprises member names and IP addresses, along with details that could indicate whether members were logged into a Kaiser Permanente account or service and how they “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.” Subsequently Kaiser confirmed that it later removed the tracking code from its websites and mobile apps.

The Incident Scope of 2024’s Biggest Breach Remains Unknown

According to Kaiser spokesperson Diana Yee, the organization will begin notifying 13.4 million affected current and former members and patients who used its websites and mobile apps. Notifications are slated to commence in May across all markets where Kaiser Permanente operates. This vast number encompasses both current and former members and patients who have accessed Kaiser’s digital platforms. Despite the magnitude of the breach, Kaiser has yet to specify the exact timeframe of the incident, leaving questions unanswered regarding the duration of potential data exposure.

While the breach has the potential to impact all 13.4 million individuals, it remains unclear what proportion of this number has had their personal information transmitted to the aforementioned tech companies. Nevertheless, this incident stands out as one of the most significant health-related breaches of the year, according to data from the Health and Human Services Office for Civil Rights’ (HHS) breach portal. Despite the absence of sensitive information such as passwords, Social Security numbers, or credit card details, Kaiser acknowledges the possibility that the tech companies involved could have accessed a wide range of other personal data. This includes patients’ names, IP addresses, sign-in statuses, and their activities within Kaiser’s digital ecosystem.

Widespread Data Abuse: Kaiser not Alone in Regulatory Oversight

Kaiser, like other healthcare organizations, has acknowledged sharing patients’ personal data with third-party advertisers through online tracking codes commonly found in web pages and mobile apps. Previously a study published in the journal Health Affairs, showed that third-party tracking tools were utilized on nearly 99% of hospital websites. However, an increasing number of incident reports surrounding unintended data exposure revealed a general abuse of private data in addition to poor security measures. Last year, telehealth startups such as Cerebral, Monument, and Tempest found themselves in hot water for sharing private health information, including mental health assessments as well as alcohol addiction and recovery data of millions of patients in the U.S. with advertisers and major social media platforms such as Facebook, Google, Pinterest and TikTok.

Following these incidents, and amid an increasing number of investigations and ensuing lawsuits, the HHS, responsible for enforcing HIPAA, revised its guidance on the use of tracking technologies. The agency now advises against using pixel trackers in any manner that could lead to unauthorized disclosures of health data to tech companies or other violations of HIPAA. As a consequence of the specific enforcement action, a majority of healthcare startups, some of which may have been unaware that their marketing tools were transmitting patient information to third parties, found themselves scrambling to review their website and app infrastructure. Even now, they are evaluating how they handle patients’ protected health information to mitigate risks and stay in compliance with evolving regulations.

Author

Bernice Lottering