Kaiser Permanente Reports Major Data Breach Affecting 13.4 Million Patients

Kaiser Permanente, one of the nation's largest not-for-profit health plans, has disclosed a major data breach impacting the personal information of 13.4 million members.

In an incident reported to the U.S. Department of Health and Human Services on April 12th, Kaiser revealed that website trackers from third-party tech companies like Microsoft, Meta, and Google had been inadvertently collecting and sharing sensitive patient data for advertising purposes.

The breached information included names, IP addresses, details on why patients accessed Kaiser's website or mobile apps, and inferred medical data based on their browsing activity across the web. This data was then used by the tech giants to serve targeted ads without Kaiser's knowledge.

While no hackers or malicious actors were involved, privacy experts note the exposed details could provide clues into an individual's medical diagnosis, conditions or treatment information – some of the most sensitive personal data.

In a similar incident in 2022, healthcare provider Atrium Health is facing a class-action lawsuit for allegedly sharing patient data with Facebook and Google through website tracking tools.

Kaiser stated they have now removed the trackers from their platforms and do not believe the data was misused beyond receiving targeted ads. However, the breach still ranks among the largest healthcare data incidents so far in 2023.

The health system has begun notifying the 13.4 million impacted members about the privacy lapse as required under HIPAA breach notification rules.

The incident has raised alarm bells over the widespread use of website tracking technologies that can inadvertently expose protected health information to third parties without patient consent.

"Americans put a very high premium on the confidentiality of their medical records and history," said John Dermigny, a lawyer representing victims in the Atrium Health case. "This breach represents a fundamental violation of patient privacy rights."

As large breaches become increasingly common, the Kaiser incident underscores the need for stricter data security practices and potential reforms to U.S. health privacy laws to keep up with advances in technology.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.