Identity, Data Security, Privacy

Kaiser Permanente notifies 13.4M patients of potential data exposure

Kaiser Permanente medical care facility.

Kaiser Permanente informed 13.4 million current and former members and patients who accessed its websites and mobile apps that certain online tracking technologies may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X when members accessed those websites or apps.

In a statement, Kaiser said the information involved was limited to the following: IP addresses and names; information that could indicate a member or patient was signed into a Kaiser Permanente account or service; information showing how a member or patient interacted with and navigated through the website and mobile applications; and search terms used in the health encyclopedia.

Kaiser first reported the incident April 12 to the U.S. Department of Health and Human Services (HHS). The large non-profit healthcare provider said that no usernames, passwords, Social Security numbers, financial account information, or credit card numbers were included in the transmission to the third-party tech companies.

“Kaiser Permanente conducted a voluntary internal investigation into the use of these online technologies, and subsequently removed them from the websites and mobile applications,” said Kaiser in its statement. “Kaiser Permanente is not aware of any misuse of any member’s or patient’s personal information.”

Tracking technologies have long been a privacy risk

These data privacy risks from leading tech apps have been known for some time, said David Finn, executive vice president of governance, risk and compliance at First Health Advisory.

In July 2023, Finn said federal regulators warned hospital systems and telehealth providers about the data privacy risks of using third-party tracking technologies. These services, such as Meta Pixel or Google Analytics, could violate the Health Insurance Portability and Accountability Act (HIPAA) or Federal Trade Commission (FTC) data security rules.

The FTC and HHS’ Office for Civil Rights then issued a rare joint release announcing that 130 hospital systems and telehealth providers received a letter warning them about the data privacy and security risks related to the use of online tracking technologies integrated into their websites or mobile apps.

“Providers should have taken that opportunity to check their own systems,” said Finn. “This is just a reminder that checking boxes does not provide security nor privacy. These tracking tools are ubiquitous — it’s how, companies like Google, Meta, X, and many others make their money. Putting them on your network with patient data and patients using the systems requires an extra level of effort. Data brokers or resellers of data don't mix well with protected information or patient privacy.”

Narayana Pappu, chief executive officer of Zendata, added that the presence of third-party trackers belonging to advertisers, and the over-sharing of customer information with these trackers, has been a pervasive problem in the healthcare tech and the government sector. Pappu said once shared, advertisers have used this information to target ads at users for complimentary products based on health data. It's happened multiple times in the past few years, including at Goodrx.

"Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome: an entity and the use case the data was not intended for has access to it," said Pappu. "There's usually no monitoring/auditing process to identify and prevent the issue."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.