Free1970 - stock.adobe.com
Kaiser notifies 13.4M individuals of data breach
Kaiser Foundation Health Plan is notifying millions of individuals that their data may have been disclosed to third parties due to the company’s use of tracking tech.
Kaiser Foundation Health Plan filed a data breach report with the HHS Office for Civil Rights (OCR), confirming a 13.4-million record breach. The filing signifies the largest breach reported to OCR in 2024 so far.
Kaiser told TechCrunch that the breach stemmed from its use of certain technologies installed on its websites and applications, which may have transmitted data to third-party vendors, such as Google, Microsoft, and X.
The impacted data includes member names, IP addresses, and information that revealed how members interacted with Kaiser’s sites.
Kaiser has since removed these tools from its website and applications and plans to notify all impacted customers in May.
“It's hard to gauge how bad this data breach is. It wasn't malicious. It wasn't a ransomware group exfiltrating data. It was, what looks like a mistake in understanding what type of data was transmitted to vendors and advertisers,” said Roger Grimes, data-driven defense evangelist at KnowBe4.
“But the data did individually identify, by name, people and what they searched for and what web pages they spent time on. That's about as bad as a data leak gets without revealing bank account numbers and passwords.”
As previously reported, the use of third-party tracking technology on healthcare websites is widespread, which has led to numerous data breaches and regulatory pushback since 2022.
According to a recent report from law firm BakerHostetler, upwards of 200 lawsuits have been filed against healthcare organizations over their use of third-party web technologies, 75 percent of which were filed in 2023 alone.
The Federal Trade Commission (FTC) announced two enforcement actions related to third-party tracking tech in April 2024. The first banned Monument, an alcohol addiction treatment service, from disclosing data to third-party advertisers without user consent. Monument also faced a $2.5 million civil penalty.
The second recent FTC action prohibited the mental healthcare platform Cerebral from misrepresenting its privacy and data security practices and disclosing personal health information to third parties for advertising purposes. The proposed order also requires Cerebral to pay $7 million in penalties.
While the FTC is tackling cases involving non-HIPAA-covered entities, OCR has also been vocal about its stance on third-party tracking tech, which would apply to Kaiser as a HIPAA-covered entity. OCR’s recently updated guidance drew criticism due to the office’s determination that an IP address of a device that accesses a HIPAA-covered entity’s website constitutes PHI.
With this updated guidance, the American Hospital Association (AHA) is moving forward with its lawsuit against HHS, the outcome of which will likely determine how covered entities are permitted to engage with third-party analytics tools.