Kaiser Permanente suffers a data breach that may impact 13.4M members
Kaiser Permanente, which operates 40 hospitals and 618 medical facilities, reported the breach, which stems from tracking technology that shared patient information with advertisers such as Microsoft and Google.
A Kaiser Permanente Health Plan data breach in mid-April affected 13.4 million members in what the U.S. Department of Health and Human Services called the largest confirmed health-related breach so far this year. Kaiser Foundation Health Plan, which operates as Kaiser Permanente, is one of the leading U.S. health care providers.
Companies covered by HIPAA are required to notify HHS of data breaches involving protected health information, such as medical data and patient records. The company submitted the required documentation to the agency on April 12, and the notice was posted publicly last week. Kaiser spokesperson Diana Yee said the organization would begin notifying affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets in which Kaiser Permanente operates. California-based Kaiser also notified its state attorney general of the breach.
The data breach stems from tracking technology that shared patient information with advertisers such as Microsoft and Google, TechCrunch reported. The health-care giant told the publication that after an investigation it found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
These vendors were able to access information such as patient names and IP addresses, as well as indicators that they were signed into a Kaiser Permanente account and the ways they navigated different websites or applications. Kaiser Permanente said these tracking technologies since have been removed from their websites and apps.
“Out of an abundance of caution, we are informing about 13.4 million current and former members and patients who accessed our websites and mobile applications,” Kaiser told Reuters, adding that it has not identified any misuse of this data.
Kaiser Permanente operates 40 hospitals and 618 medical facilities in California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington and Washington, D.C. Kaiser is the latest health-care organization to confirm it shared patients’ personal information with third-party advertisers through online tracking code, often embedded in web pages and mobile apps and designed to collect information about users’ online activity for analytics. Over the past year, telehealth startups Cerebral, Monument and Tempest have pulled tracking code from their apps that shared patients’ personal and health information with advertisers.
Related: UnitedHealth admits ransom was paid to bad actors, ‘substantial’ data stolen in hack
Earlier this week, UnitedHealth Group said preliminary analysis of data stolen in the Feb. 21 cyberattack on its Change Healthcare subsidiary indicates that it “could cover a substantial proportion of people in America.” However, the company has yet to provide full numbers on how many people were affected.
Last week, the Medical Group Management Association sent a letter to the Department of Health and Human Services’ Office for Civil Rights seeking clarity on whether providers or Change Healthcare is responsible for alerting affected patients that their personal health information may have been compromised.