Kaiser Permanente Notifies Members of Data Breach

Kaiser Permanente tracking technologies impact members

Website Tracking Technologies May Have Leaked Kaiser Member Data

Kaiser Permanente is notifying 13.4 million current and former health plan members of a data breach traced to tracking technologies.

The data breach stems from tracking technology that shared patient information with advertisers such as Microsoft and Google, according to a statement to TechCrunch. The healthcare giant told the publication that an investigation found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

Kaiser Permanente Reports and Removes Tracking Technologies

On April 12, 2024, Kaiser Permanente filed notice with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) describing a data breach affecting consumers nationwide. Kaiser Permanente said the tracking technologies have since been removed from their websites and apps, though the notice was not publicly posted until April 25.

Kaiser confirmed that the incident did not involve passwords, Social Security numbers or credit card information. However, data shared with advertisers does include:

  • Member names
  • IP addresses
  • Sign-in statuses
  • How members navigated different websites or applications

Tracking Technology Breaches Are Nothing New

Kaiser is the latest healthcare organization to confirm it shared patients’ personal information with third-party advertisers by way of online tracking code, often embedded in web pages and mobile apps and designed to collect information about users’ online activity for analytics.

The Kaiser breach is listed on the HHS website as the largest confirmed health-related data breach of 2024 so far. In 2023, the telehealth startups Cerebral, Monument, and Tempest pulled third-party tracking code from their apps after discovering that more than three million patients’ personal and health information had been shared with advertisers like Facebook, Google, Microsoft, Pinterest, and TikTok.

Learn more about online tracking technologies and the OCR’s updated guidance in this article on our blog, Is Your Website Data HIPAA Compliant?

PrivaPlan Launches Web Tracking Tool to Identify Risks

While websites and mobile apps commonly use tracking technologies to collect and analyze user information, compliance is paramount for HIPAA-covered entities and Business Associates, as well as other federally regulated industries, to prevent unauthorized disclosures of personal information.

Enter TrackerReveal, your go-to solution for maintaining compliant website tracking.

Our cutting-edge tool conducts comprehensive scans of your website and apps to identify potential risks associated with tracking technologies and gives you dashboard reports, automated scans, and risk-ranked findings.

Learn more here.

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.