The Oakland, Calif.-based Kaiser Permanente organization has experienced a data breach that involves the data of 13.4 million members; the health plan has filed a legally required notice with the Department of Health and Human Services (HHS) of the breach, which is the largest confirmed healthcare-related data breach of 2024 so far.
Reporter Zack Whittaker of TechCrunch first broke the story, writing on April 25 that “U.S. health conglomerate Kaiser is notifying millions of current and former members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter). In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found ‘certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.’ Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members ‘interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia,’ Whittaker wrote. “Kaiser said it subsequently removed the tracking code from its websites and mobile apps.”
Also on April 25, SFGate’s Stephen Council reported that “Kaiser told SFGATE in a statement on Thursday, ‘certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter).’”
Council further noted that “Kaiser plans to notify 13.4 million people about the breach, and said the notifications are “out of an abundance of caution.” That huge number includes “current and former members and patients who accessed our websites and mobile applications,” the company said. Kaiser did not immediately respond to SFGATE’s question about the time frame of the breach. Any of the 13.4 million people may have had their personal information transmitted to the tech companies, but it isn’t clear what share of that number actually did. The incident makes Kaiser’s the biggest health-related breach of the year, per the HHS’ breach portal. Though the personal information didn’t include passwords, Social Security numbers or credit card information, per Kaiser, the tech giants reportedly had the chance to hoover up a swath of other data. The health care company’s statement to SFGATE said the breach may have included patients’ names, IP addresses, sign-in statuses and how they navigated through Kaiser’s website and mobile apps.
Meanwhile, TechRadar’s Sead Fadilpašić reported on Apr. 26 that “Kaiser filed a notice with the U.S. government, and notified California’s attorney general of what had happened. Due to the sensitivity of the data they hold, healthcare organizations are a constant target for cybercriminals,” Fadilpašić noted. “Recently, Change Healthcare suffered a major ransomware attack in which the threat actors stole 4TB of valuable files. In exchange for keeping the data private and not sharing it on the dark web, the attackers demanded $22 million in cryptocurrency. In late 2023, after a supply chain attack on ESO Solutions, sensitive data from a number of healthcare organizations in the US was stolen, and in March of the same year, both Zoll Medical and Independent Living Systems reported data breaches, he added.
