U.S. Health Giant Kaiser Notifying Millions of Data Breach, Shared Patient Info with Advertisers

Cyber Attack

Kaiser, a prominent health conglomerate, is in the process of notifying millions of both current and former members about a significant data breach. The breach involved the inadvertent sharing of patients' information with third-party advertisers, including tech giants such as Google, Microsoft, and X (formerly Twitter).

In a statement provided to the media, Kaiser disclosed that its internal investigation uncovered the transmission of personal data to external vendors via certain online technologies embedded within its websites and mobile applications. The shared information encompasses member names, IP addresses, and indicators of their activity within Kaiser's digital platforms, such as sign-ins and navigation patterns. Additionally, search terms used within the health encyclopedia were also compromised.

Following the discovery, Kaiser promptly removed the tracking code from its digital platforms. This incident places Kaiser among a growing list of healthcare organizations that have unwittingly exposed patients' personal information to advertisers through online tracking mechanisms.

Diana Yee, a spokesperson for Kaiser, confirmed that notifications would be sent to approximately 13.4 million affected individuals, commencing in May across all regions served by Kaiser Permanente.

Furthermore, Kaiser fulfilled its legal obligation by submitting a formal notice to the U.S. government on April 12, subsequently disclosed last week, indicating that 13.4 million residents were impacted by the breach. The organization also notified California's attorney general, although specific details were not provided.

The Kaiser Foundation Health Plan, which encompasses various entities within the Kaiser Permanente network, is among the largest healthcare organizations in the U.S., providing health insurance plans to employers and boasting 12.5 million members as of 2023.

This breach marks the most significant health-related data breach of 2024 thus far, as listed by the Department of Health and Human Services.