Kaiser Permanente, a leading healthcare organization in the United States, has disclosed a data breach impacting approximately 13.4 million of its members and patients.
The breach involved unintended transmission of personal information to third-party vendors, including major tech companies Google, Microsoft Bing, and X (formerly Twitter), via installed online technologies on Kaiser’s websites and mobile apps.
Kaiser Permanente is renowned for its integrated healthcare services, offering both healthcare plans and medical services to millions across the country. It operates as a non-profit healthcare provider with a network that includes numerous hospitals and a comprehensive range of medical facilities.
The data exposure was discovered following an internal investigation conducted voluntarily by Kaiser Permanente. The company discovered that online trackers used on its websites and mobile applications were transmitting certain types of personal data when users interacted with its services.
The information potentially shared includes:
- IP addresses
- Names of users
- Indicators of a user being logged into a Kaiser account
- User interactions and navigation details on the sites and apps
- Search terms entered into Kaiser’s health encyclopedia
Kaiser Permanente noted in a statement shared with RestorePrivacy that sensitive data such as usernames, passwords, Social Security numbers, and financial details were not part of the data transmitted to third parties.
In response to these alarming findings, the organization removed the offending technologies from all its platforms. Additional security measures have been adopted to prevent similar incidents based on the guidance provided by the contracted cybersecurity experts.
Despite no evidence suggesting the misuse of the disclosed data, Kaiser Permanente has opted to inform all 13.4 million of the potentially affected individuals as a precautionary measure.
Kaiser Permanente members and patients are advised to remain vigilant by monitoring their account statements and health services interactions for any unusual activity. Although financial data was not compromised, staying informed about the latest updates from Kaiser regarding this incident is advisable as later-stage investigation findings may expand the scope of the impact.
The American healthcare system has been plagued by the widespread use of online trackers that extract sensitive medical information from healthcare portals and distribute it to a broad network of advertisers, as numerous high-profile cases have brought this issue to light.
RestorePrivacy has previously highlighted similar exposures at WakeMed, GoodRx, and Cerebral, while UCSF Medical Center, Dignity Health Medical Foundation, Novant Health, and Advocate Aurora Health have also reported high-volume exposures from trackers.
Doggy Kruger
Sven Sir once you said you were also going to or planning to review antivirus software. Is that still in plan or has been ruled out? Will you review them that is 3rd party antivirus software or they are redundant as these days Operating Systems seem to have reasonably good built in antivirus protection and may be sufficient for most people? What are your views?
Alex Lekander
Hi Doggy Kruger, we have put antivirus reviews on hold for now. We’re pretty busy working on a new category for the site with Identity Theft Protection (reviews, comparisons, and guides) and also updating old content and covering news items. We may still get to antivirus reviews, but it probably won’t be until later in the year.
bumpintheroad
Similar exposures? = trackers by the article.
Trackers might as well be hackers in my book.
United Health Group (UHG) is a health insurance company with a presence across all 50 US states.
Its subsidiary, Optum Solutions, operates the Change Healthcare platform, which is the largest payment exchange platform between doctors, pharmacies, healthcare providers, and patients in the US healthcare system.
UnitedHealth Group was hacked in Feb2024
[https://www.bleepingcomputer.com/news/security/unitedhealth-confirms-optum-hack-behind-us-healthcare-billing-outage/]
Johnson
“In response to these alarming findings, the organization removed the offending technologies from all its platforms.”
Great. Now scrub this $#!+ from the entire internet. It’s long overdue.
Tiger
“The breach involved unintended transmission of personal information to third-party vendors, including major tech companies Google, Microsoft Bing, and X (formerly Twitter), via installed online technologies on Kaiser’s websites and mobile apps”. GOOG MSFT ARE SO desperate that they are hacking healtcare data
Asif Khan
mcw hack
bumpintheroad
[https://www.precisely.com/blog/data-security/data-scrambling-vs-encryption]
For most organizations, the motivation to encrypt their data is closely tied to various compliance requirements. Such compliance regulations include PCI DSS, HIPAA, HITECH, GDPR, Sarbanes-Oxley (SOX) and a whole host of regional privacy laws.
bumpintheroad
Tell me, is this the repeating case like any user who uses an app/website of any business, as falling prey to the actual TOS/PP they have in place?
Users:
Your options are to blindly use the app/website, inwhich you’ve agreed to their TOS/PP by your continuing use there of.
OR
Read to understand their TOS/PP and refuse it by not using their app/website. The legalize can be daunting. Maybe to Opt-out if so provisioned to some of the data-mining but not all of it.
Where a business (non-profit) like Kaiser Permanente has blindly agreed to engauge, with the involved unintended transmission of personal information to third-party vendors, including major tech companies Google, Microsoft Bing, and X (formerly Twitter), via installed online technologies on Kaiser’s websites and mobile apps. Because KP failed to legally vet the TOS/PP of supporting services through an attorney or legal counsel?
This is just one in the industry of the four healthcare’s RP has covered, but added up how many US businesses – where data breaches impacting ??? millions of US citizens has happen every year. Yearly totals anyone?