Kaiser Permanente, a leading healthcare organization in the United States, has disclosed a data breach impacting approximately 13.4 million of its members and patients.
The breach involved unintended transmission of personal information to third-party vendors, including major tech companies Google, Microsoft Bing, and X (formerly Twitter), via installed online technologies on Kaiser’s websites and mobile apps.
Kaiser Permanente is renowned for its integrated healthcare services, offering both healthcare plans and medical services to millions across the country. It operates as a non-profit healthcare provider with a network that includes numerous hospitals and a comprehensive range of medical facilities.
The data exposure was discovered following an internal investigation conducted voluntarily by Kaiser Permanente. The company discovered that online trackers used on its websites and mobile applications were transmitting certain types of personal data when users interacted with its services.
The information potentially shared includes:
- IP addresses
- Names of users
- Indicators of a user being logged into a Kaiser account
- User interactions and navigation details on the sites and apps
- Search terms entered into Kaiser’s health encyclopedia
Kaiser Permanente noted in a statement shared with RestorePrivacy that sensitive data such as usernames, passwords, Social Security numbers, and financial details were not part of the data transmitted to third parties.
In response to these alarming findings, the organization removed the offending technologies from all its platforms. Additional security measures have been adopted to prevent similar incidents based on the guidance provided by the contracted cybersecurity experts.
Despite no evidence suggesting the misuse of the disclosed data, Kaiser Permanente has opted to inform all 13.4 million of the potentially affected individuals as a precautionary measure.
Kaiser Permanente members and patients are advised to remain vigilant by monitoring their account statements and health services interactions for any unusual activity. Although financial data was not compromised, staying informed about the latest updates from Kaiser regarding this incident is advisable as later-stage investigation findings may expand the scope of the impact.
The American healthcare system has been plagued by the widespread use of online trackers that extract sensitive medical information from healthcare portals and distribute it to a broad network of advertisers, as numerous high-profile cases have brought this issue to light.
RestorePrivacy has previously highlighted similar exposures at WakeMed, GoodRx, and Cerebral, while UCSF Medical Center, Dignity Health Medical Foundation, Novant Health, and Advocate Aurora Health have also reported high-volume exposures from trackers.