Kaiser Permanente (KP), one of the largest United States’ healthcare organizations, announced a data breach affecting 13.4 million current and former members. The breach included the unintended access of patient information with third-party advertisers including prominent names like Google, Microsoft, and X (formerly Twitter).
What’s Happening & Why This Matters
Kaiser’s internal investigation revealed that online tracking technologies, embedded within their websites and mobile apps, were transmitting personal data directly to advertisers. The passed data included:
- member names,
- IP addresses,
- details about interactions with Kaiser’s digital platforms, and
- search terms used within their health service encyclopedia.
Upon discovering the breach, Kaiser removed the problematic tracking codes from its platforms to prevent further data leakage.
As mandated by U.S. health privacy laws (HIPAA), Kaiser has filed a notice with the U.S. government and will begin notifying affected individuals starting in May. They also informed California’s Attorney General about the breach. “This breach is a wake-up call for the healthcare industry about the risks associated with third-party data sharing,” explains a Crowdstrike cybersecurity advisor that specializes in healthcare. “Organizations must ensure robust data protection measures are in place, especially when dealing with sensitive health information.”
Those affected face potential privacy risks as their personal and health-related information may have been accessed by advertisers. The breach is a reputational blow for KP and may lead to regulatory scrutiny and financial penalties for failing to protect patient data. The breach reinforces ongoing security concerns regarding patient information in digital health platforms industry-wide.
TF Summary: What’s Next
Kaiser Permanente’s data breach is another black eye for data security within the healthcare sector. As the organization expedites its response plan, the larger healthcare industry may see tighter oversight, stricter regulations and increased scrutiny over how patient data is accessed, managed, and protected.
Continue security breaches and data loss highlights the critical need for healthcare providers [and all data-rich industries] to reassess their privacy policies. Further, each industry requires flexible and comprehensive safeguards to protect [user] information from unauthorized access.