Kaiser Permanente Health Plan Inc. is informing 13.4 million people about disclosing some of their personal information to third parties including X (Twitter), Microsoft (Bing), and Google due to the use of tracking codes on its web pages and applications. This is the biggest healthcare data breach reported to date in 2024 and the biggest confirmed healthcare data breach currently involving website tracking systems.
Kaiser Permanente stated the tracking systems were discovered while conducting a voluntary internal inquiry. The tracking codes had been taken from the web pages and mobile apps. Supplemental measures were applied to stop the same incidents down the road. All persons who were possibly impacted will be sent notification letters as a safety precaution. All present and past health plan members from all industries where Kaiser Permanente operates, and those who utilized its web pages and mobile applications will receive notifications. Notification letters are estimated to be released in May 2024.
The types of information possibly exposed to tech firms contained names, sign-in statuses, IP addresses, and data regarding visitors going through the web pages and applications. Other data was possibly exposed depending on individuals’ use of the web pages and applications, which include search words when utilizing its health encyclopedia, like drugs, symptoms, injuries, and workout routines. There was no highly sensitive data exposed, for example, financial data, Social Security numbers, and usernames/passwords. Kaiser Permanente stated it is unaware of any improper use of the disclosed information; nevertheless, it is likely that people might have been provided targeted advertisements depending on their activities on Kaiser Permanente’s web pages and applications.
The privacy violation report was submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) as a Health Insurance Portability and Accountability Act (HIPAA) breach. In December 2022, OCR publicized guidance on HIPAA and tracking technologies and lately revised its guidance to make clear when these systems could be utilized and how they can be compliant and HIPAA-certified.
The Federal Trade Commission (FTC) and OCR are cracking down on the usage of these tracking technologies and mailed warning letters to about 130 hospitals and telehealth firms in 2023 telling them to comply with the requirements under HIPAA and the FTC Act. The FTC has resolved 5 cases of complaints involving GoodRx, Easy Healthcare (Premom), Monument, BetterHelp, and Cerebral for alleged violations of the FTC Act associated with the usage of these technologies without getting the consumers’ permission. State attorneys general likewise looked into privacy violations related to using tracking technologies, such as the New York Attorney General, and resolved alleged violations of the HIPAA Act and state regulations with New York Presbyterian Hospital regarding the use of these tools.