Kaiser Permanente breach exposes millions to third-party advertisers

U.S. health giant Kaiser Permanente has disclosed a data breach affecting approximately 13.4 million current and former members. Personal information, including names, IP addresses, and interaction data, was potentially shared with third-party advertisers.

What happened

Kaiser Permanente, headquartered in Oakland, California, is a leading healthcare plan in the United States with 40 hospitals and 618 medical facilities in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington. 

According to the U.S. Department of Health and Human Services, the health plan reported a data breach on April 12, 2024, involving unauthorized access/disclosure through a network server.

The breach occurred through an online tracking code embedded in Kaiser's websites and mobile applications. The code may have transmitted the personal information of millions of members, including names, IP addresses, interaction patterns on their platforms, and health-related search terms, to third-party vendors such as Google, Microsoft, and X (formerly Twitter). 

Kaiser clarified that no usernames, passwords, Social Security numbers, financial account information, or credit card numbers were transmitted in the breach.

What was said

Kaiser Permanente spokesperson Diana Yee confirmed the breach, stating the organization's intention to notify affected individuals, “Kaiser Permanente conducted a voluntary internal investigation into the use of these online technologies, and subsequently removed them from its websites and mobile applications.” 

Kaiser Permanente will start notifying affected individuals in all markets it operates. The organization has also notified the California state attorney general of the breach.

Furthermore, Kaiser Permanente states it “has implemented additional measures with the guidance of experts designed to safeguard against recurrence of this type of incident.”

By the numbers

According to Kaiser Permanente’s website, their health plan finances the care delivered by: 

• 24,605 physicians of the Permanente Medical Groups
• 73,618 nurses
• 75,000 allied health professionals 
• 40 hospitals and 618 medical facilities

The breach at Kaiser Permanente affects 13.4 million individuals, making it the largest confirmed health-related data breach of 2024 thus far.

In the know

Online tracking codes are often integrated into web pages and mobile apps to gather analytical data on users' online behavior. This data can include information on the pages visited, links clicked, and time spent on each page, helping businesses understand user preferences and improve their online experience. Additionally, tracking codes can be used for targeted advertising and personalized marketing campaigns based on browsing history. 

However, covered entities (including health plans) must ensure transparency about their tracking practices and obtain user consent under privacy regulations. Failure to do so can lead to backlash and potential legal consequences for violating privacy laws. 

Why it matters

This breach exposes vulnerabilities in cybersecurity, prompting potential regulatory changes and stricter data protections across healthcare. For individuals, this breach raises risks of misuse of sensitive data, potentially leading to targeted advertising based on health concerns or risks like identity theft.

It also indicates a larger trend towards extensive digital data collection, influencing consumer behavior and decision-making as people become more cautious about sharing personal information.