Kaiser Permanente has suffered an accidental data breach, exposing personal information of 13.4 million health plan members to third parties. The incident was reported to U.S. Department of Health and Human Services (HHS) on April 12 and made public earlier this week.
According to reporting in TechCrunch, the “breach” is not a result of hackers or malicious actors. Instead, it stems from website trackers that share information with advertisers, namely Microsoft, Meta and Google. Kaiser was apparently unaware these programs were sending sensitive personal information on patients to tech companies.
The tracking has been removed from Kaiser’s website and mobile platform, and they do not believe any of the data has been used for any purpose other than advertising.
However, the information sent to advertisers is extensive, including patient names, IP addresses and details on why users were logged into Kaiser’s website. These trackers also follow users around the web, gathering browsing information. These details can be gathered to decipher clues on a patient’s diagnosis and medical history.
This data is then used to serve targeted ads on Google, social media platforms and other websites.
In a similar incident still being litigated, Atrium Health is accused of allegedly using tracking technology that exposed sensitive patient information to advertisers and social media companies.
The Kaiser security incident is one of the largest breaches this year. While it’s likely the Change Healthcare ransomware attack will end up affecting more individuals, specific numbers have yet to be released as fallout from that data breach is still unfolding.
Kaiser has begun notifying the affected 13.4 million people about the breach.