Kaiser Permanente exposed data on 13.4 million members to tech companies

Kaiser Permanente has suffered an accidental data breach, exposing personal information of 13.4 million health plan members to third parties. The incident was reported to U.S. Department of Health and Human Services (HHS) on April 12 and made public earlier this week. 

According to reporting in TechCrunch, the “breach” is not a result of hackers or malicious actors. Instead, it stems from website trackers that share information with advertisers, namely Microsoft, Meta and Google. Kaiser was apparently unaware these programs were sending sensitive personal information on patients to tech companies. 

The tracking has been removed from Kaiser’s website and mobile platform, and they do not believe any of the data has been used for any purpose other than advertising. 

However, the information sent to advertisers is extensive, including patient names, IP addresses and details on why users were logged into Kaiser’s website. These trackers also follow users around the web, gathering browsing information. These details can be gathered to decipher clues on a patient’s diagnosis and medical history. 

This data is then used to serve targeted ads on Google, social media platforms and other websites. 

In a similar incident still being litigated, Atrium Health is accused of allegedly using tracking technology that exposed sensitive patient information to advertisers and social media companies. 

The Kaiser security incident is one of the largest breaches this year. While it’s likely the Change Healthcare ransomware attack will end up affecting more individuals, specific numbers have yet to be released as fallout from that data breach is still unfolding. 

Kaiser has begun notifying the affected 13.4 million people about the breach.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

The American College of Cardiology has sent a letter to HHS Secretary Robert F. Kennedy Jr. that outlines some of the organization’s central priorities and concerns. 

One product is being pulled from the market, and the other is receiving updated instructions for use.

If the Trump administration continues taking a laissez-faire stance toward AI—including AI used in healthcare—why not let the states go it alone on regulating the technology?