US health group Kaiser is notifying millions of current and former members of a data breach after confirming it shared patient information with third-party advertisers, including Google, Microsoft and X (formerly Twitter).
In a statement shared with TechCrunch, Kaiser said that conducted research that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
Kaiser said that the Data shared with advertisers includes member names and IP addresses, as well as information that could indicate whether members were logged into a Kaiser Permanente account or service and how members “interacted and navigated through the website and mobile applications, as well as and search terms used in the health encyclopedia’.
Kaiser said it subsequently removed the tracking code from its websites and mobile apps.
Kaiser is the latest health care organization to confirm that it shared personal patient information with third-party advertisers through online tracking code, which is often embedded in websites and mobile apps and is designed to collect information about users’ online activity for detailed information. In the past year, telehealth startups Cerebral, Monument and Storm have pulled tracking code from their apps that shared patients’ personal and health information with advertisers.
Kaiser spokeswoman Diana Yee said the organization will begin notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notices will begin in May in all markets where Kaiser Permanente operates, the spokesman said.
The health giant also filed a legally required notice with the US government on April 12, but went public on Thursday confirming that 13.4 million residents had been exposed.
US organizations covered by the health privacy law, known as HIPAA, are required to notify the US Department of Health and Human Services of data breaches involving protected health information, such as medical data and patient records. Kaiser also shared California’s attorney general about the data breach, but did not provide further details.
The Kaiser Foundation Health Program is the parent organization of the many entities that make up Kaiser Permanente, one of the largest health care organizations in the United States. The Kaiser Foundation Health Program provides health insurance plans to employers and reported 12.5 million members from the end of 2023.
The breach at Kaiser is listed on the Department of Health and Human Services website as the largest confirmed health-related data breach of 2024 so far.
To contact this reporter, contact on Signal and WhatsApp at +1 646-755-8849 or via email. You can also send files and documents via SecureDrop.
