13.4 Million Individuals Affected by Kaiser Permanente Website Tracker Breach

by | Apr 28, 2024

Kaiser Permanente Health Plan Inc. is informing 13.4 million people about disclosing some of their personal information to third parties including X (Twitter), Microsoft (Bing), and Google due to the use of tracking codes on its web pages and applications. This is the biggest healthcare data breach reported to date in 2024 and the biggest confirmed healthcare data breach currently involving website tracking systems.

Kaiser Permanente stated the tracking systems were discovered while conducting a voluntary internal inquiry. The tracking codes had been taken from the web pages and mobile apps. Supplemental measures were applied to stop the same incidents down the road. All persons who were possibly impacted will be sent notification letters as a safety precaution. All present and past health plan members from all industries where Kaiser Permanente operates, and those who utilized its web pages and mobile applications will receive notifications. Notification letters are estimated to be released in May 2024.

The types of information possibly exposed to tech firms contained names, sign-in statuses, IP addresses, and data regarding visitors going through the web pages and applications. Other data was possibly exposed depending on individuals’ use of the web pages and applications, which include search words when utilizing its health encyclopedia, like drugs, symptoms, injuries, and workout routines. There was no highly sensitive data exposed, for example, financial data, Social Security numbers, and usernames/passwords. Kaiser Permanente stated it is unaware of any improper use of the disclosed information; nevertheless, it is likely that people might have been provided targeted advertisements depending on their activities on Kaiser Permanente’s web pages and applications.

The privacy violation report was submitted to the Department of Health and Human Services’ Office for Civil Rights (OCR) as a Health Insurance Portability and Accountability Act (HIPAA) breach. In December 2022, OCR publicized guidance on HIPAA and tracking technologies and lately revised its guidance to make clear when these systems could be utilized and how they can be compliant and HIPAA-certified.

The Federal Trade Commission (FTC) and OCR are cracking down on the usage of these tracking technologies and mailed warning letters to about 130 hospitals and telehealth firms in 2023 telling them to comply with the requirements under HIPAA and the FTC Act. The FTC has resolved 5 cases of complaints involving GoodRx, Easy Healthcare (Premom), Monument, BetterHelp, and Cerebral for alleged violations of the FTC Act associated with the usage of these technologies without getting the consumers’ permission. State attorneys general likewise looked into privacy violations related to using tracking technologies, such as the New York Attorney General, and resolved alleged violations of the HIPAA Act and state regulations with New York Presbyterian Hospital regarding the use of these tools.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy