Written by : Arti Ghargi
April 29, 2024
Kaiser Permanente, a major US health conglomerate, has confirmed a significant data breach, exposing the personal information of millions of current and former members.
The breach reportedly occurred in mid-April after Kaiser inadvertently shared patients' information with third-party advertisers, including tech giants Google, Microsoft, and X (formerly Twitter).
The fallout from the breach is substantial, affecting approximately 13.4 million current and former members and patients who accessed Kaiser's online platforms.
Kaiser will begin notifying its health plan members about the breach, the company said in a documentation submitted to the Department of Health and Human Services on April 12. The notice was publicly posted last week.
The data security breach comes just days after a major ransomware attack on US health giant UnitedHealth that exposed patient data including their medical records, history, and transaction details.
Kaiser Permanente is one of the largest American not-for-profit health plans which claims to serve 12.5 million members. It operates under the umbrella of the Kaiser Foundation Health Plan and provides health insurance plans to employers.
According to a statement shared with TechCrunch, Kaiser voluntarily conducted an investigation revealing that certain online technologies installed on its websites and mobile applications may have transmitted personal information to third-party vendors.
The data shared with advertisers includes member names, IP addresses, information indicating if members were signed into a Kaiser Permanente account, and details of their interactions with the website and mobile applications, including search terms used in the health encyclopedia.
However, details such as usernames, passwords, social security numbers, financial account information, or credit card numbers were not included in the transmission to these third parties, the organization said.
The organization also reported that it hasn’t yet noticed any misuse of these details.
Kaiser said that it has taken corrective measures by removing the tracking code from its websites and mobile apps. It will notify about the breach to affected individuals beginning in May across all markets where Kaiser Permanente operates.
Additionally, the organization also notified California's attorney general of the breach, although further details regarding the breach were not provided.
With more than 13 million individuals’ data being compromised, this is the biggest confirmed data breach this year in healthcare.
But that could change soon. UnitedHealth, which was affected by a ransomware attack disrupting the US healthcare system for weeks, has not yet revealed the exact extent of the breach or even the number of people affected by it.
The health insurer is expected to submit the details of the security attack that impacted a significant chunk of the US population, with regulatory authorities.
Some estimates say that the impacted individuals count could rise to as much as 300 million.
This incident underscores a broader trend of healthcare organizations inadvertently sharing patients' personal information with third-party advertisers through online tracking mechanisms embedded in web pages and mobile apps.
Over the past year, similar breaches have been reported by telehealth startups, raising concerns about data privacy and security within the healthcare sector.