Kaiser Permanente exposed data on 13.4 million members to tech companies

Kaiser Permanente has suffered an accidental data breach, exposing personal information of 13.4 million health plan members to third parties. The incident was reported to U.S. Department of Health and Human Services (HHS) on April 12 and made public earlier this week. 

According to reporting in TechCrunch, the “breach” is not a result of hackers or malicious actors. Instead, it stems from website trackers that share information with advertisers, namely Microsoft, Meta and Google. Kaiser was apparently unaware these programs were sending sensitive personal information on patients to tech companies. 

The tracking has been removed from Kaiser’s website and mobile platform, and they do not believe any of the data has been used for any purpose other than advertising. 

However, the information sent to advertisers is extensive, including patient names, IP addresses and details on why users were logged into Kaiser’s website. These trackers also follow users around the web, gathering browsing information. These details can be gathered to decipher clues on a patient’s diagnosis and medical history. 

This data is then used to serve targeted ads on Google, social media platforms and other websites. 

In a similar incident still being litigated, Atrium Health is accused of allegedly using tracking technology that exposed sensitive patient information to advertisers and social media companies. 

The Kaiser security incident is one of the largest breaches this year. While it’s likely the Change Healthcare ransomware attack will end up affecting more individuals, specific numbers have yet to be released as fallout from that data breach is still unfolding. 

Kaiser has begun notifying the affected 13.4 million people about the breach.

Chad Van Alstin Health Imaging Health Exec

Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.

Around the web

When regulating AI-equipped medical devices, the FDA might take a page from the Department of Transportation’s playbook for overseeing AI-equipped vehicles. These run the gamut from assisting human drivers to fully taking the wheel. 

Kit Crancer, RBMA board member, speaks with Radiology Business about key legislative developments on the Hill that will affect the specialty. 

California-based Acutus Medical has said its ongoing agreement to manufacture and distribute left-heart access devices for Medtronic is the company's only source of revenue.