US healthcare conglomerate Kaiser is notifying millions of its members of a data breach after confirming it shared patient information with third-party advertisers including Google, Microsoft and X (formerly Twitter).
In a statement shared with TechCrunch, Kaiser said that he conducted an investigation which revealed “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third party providers.
Kaiser said that the Data shared with advertisers includes members’ names and IP addresses, as well as information that could indicate whether members were connected to a Kaiser Permanente account or service and how members “interacted with and navigated through the site Web and mobile applications, as well as search terms used in the health encyclopedia.
Kaiser said it then removed the tracking code from its websites and mobile apps.
Kaiser is the latest healthcare organization to confirm that it has shared its patients’ personal information with third-party advertisers. using an online tracking codeoften embedded in web pages and mobile applications and designed to collect information about users’ online activity for analysis. Over the past year, telehealth startups Cerebral, Monument and Storm extracted tracking code from their apps that shared patients’ personal and health information with advertisements.
Kaiser spokeswoman Diana Yee said the organization will begin notifying affected members in May in all markets where Kaiser Permanente operates.
Kaiser’s spokesperson confirmed it was notifying 13.4 million “current and former members and patients” who accessed its websites and mobile apps.
The healthcare giant also filed a legally required notice with the US government on April 12, but made public on Thursday, confirming that 13.4 million residents had seen exposed information.
U.S. organizations covered by the health privacy law known as HIPAA are required to notify the U.S. Department of Health and Human Services of any data breach involving protected health information, such as medical data and patient records. Kaiser also notified The California Attorney General was notified of the data breach but did not provide further details.
The Kaiser Foundation Health Plan is the parent organization of several entities that make up Kaiser Permanente, one of the largest health care organizations in the United States. The Kaiser Foundation Health Plan offers health insurance plans to employers and reported 12.5 million members from the end of 2023.
The breach at Kaiser is listed on the Department of Health and Human Services website as the largest confirmed health-related data breach of 2024 to date.
Do you know more about the data breach at Kaiser? To contact this reporter, contact Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.