Massive Data Breach at Kaiser Health Conglomerate: Millions of Patients’ Information Exposed
Kaiser, a leading U.S. health conglomerate, has confirmed that it shared patients’ information with third-party advertisers, including Google, Microsoft, and X (formerly Twitter). The news comes as part of an investigation conducted by the company, which found that its websites and mobile applications may have transmitted personal data to external vendors.
Data Shared with Advertisers
According to Kaiser’s statement, the data shared with advertisers includes member names and IP addresses. Additionally, information that could indicate if members were signed into a Kaiser Permanente account or service was also collected. This includes details on how members interacted with and navigated through the website and mobile applications, as well as search terms used in the health encyclopedia.
Removal of Tracking Code
In response to the investigation’s findings, Kaiser removed the tracking code from its websites and mobile apps. The company stated that this was done to prevent further data breaches and protect patients’ information.
Background on Kaiser Permanente
Kaiser Permanente is one of the largest healthcare organizations in the United States, providing health insurance plans to employers through its parent organization, the Kaiser Foundation Health Plan. As of the end of 2023, the company reported having over 12.5 million members.
The Data Breach: A Growing Concern
This data breach at Kaiser is the latest in a series of incidents where healthcare organizations have shared patients’ personal information with third-party advertisers through online tracking code. Over the past year, telehealth startups such as Cerebral, Monument, and Tempest have removed tracking code from their apps due to concerns over patient data security.
Notification Process
Kaiser has begun notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets where Kaiser Permanente operates. Additionally, the company filed a legally required notice with the U.S. government on April 12, confirming that 13.4 million residents had their information exposed.
HIPAA Requirements
As an organization covered under the health privacy law known as HIPAA, Kaiser is required to notify the U.S. Department of Health and Human Services (HHS) of data breaches involving protected health information, such as medical data and patient records. The company also notified California’s attorney general of the data breach but did not provide further details.
The Largest Confirmed Data Breach of 2024
The breach at Kaiser is currently listed on the Department of Health and Human Services’ website as the largest confirmed health-related data breach of 2024 so far.
Contacting the Reporter
To contact this reporter, you can reach out via Signal and WhatsApp at +1 646-755-8849 or by email. SecureDrop can also be used to send files and documents securely.
Related Topics
- Change Healthcare
- Cyberattack
- Data Breach
- Healthcare
- Kaiser Permanente
- Security
