Kaiser Permanente: Another Avoidable Data Breach

Kaiser Permanente Data Breach
Share article
twitter linkedin medium facebook

Oversharing by a friend or acquaintance can be cringeworthy, but at least it won’t cost you money! U.S. Healthcare conglomerate Kaiser Foundation Health Plan, which operates as Kaiser Permanente recently overshared the personal information of 13.4 million of its current and former service users with third-party advertisers, potentially opening itself up to legal action, costly civil penalties under the Health Insurance Portability and Accountability Act (HIPAA), and reputation loss.

Transmission of personal information to third-parties

In a media statement, the company said, “Certain online technologies, previously installed on websites and mobile applications, may have transmitted personal information to third-party vendors,” and it will be contacting those affected in May.

Kaiser operates in eight states and Washington D.C., running 40 hospitals and hundreds of medical facilities. What this statement alludes to is the fact that tracking technologies like pixels and cookies were collecting and sending patient information to advertisers like X, Google, and Microsoft without first obtaining their explicit permission.

We can safely assume that it was a careless data breach caused by bad housekeeping, and while it may sound less dramatic than the recent case where Change Healthcare was targeted by a ransomware Group called BlackCat, this kind of breach via negligence is just as significant.

HIPAA fines

HIPAA fines can vary according to their severity and the level of negligence involved in each case, but they are unlikely to be cheap. For example, in 2023, public health insurance provider L.A. Care Health Plan agreed to pay out $1.3 million for, “Failure to comply with the HIPAA Security Rule,” and, “…impermissible disclosure of the ePHI of 1,498 individuals.” A  manual configuration error had allowed members to view each other’s personal data.

With the Kaiser breach, the tracking technologies shared information like visitors’ names, IP addresses, what pages they visited, whether they were signed in, and the search terms they used when they visited Kaiser’s online health encyclopedia. While none of this could be defined as ePHI, which means electronically created, stored, or transmitted Protected Health Information, it could still trigger HIPAA penalties, and since Kaiser operates in California, it may potentially contravene the California Privacy Rights Act (CPRA), too.

Tracking technologies risk

Tracking technologies are great for giving third-party advertisers the kind of highly detailed information that allows them to deliver targeted ad campaigns, but they must obtain users’ consent under the various data protection regulations. If the company deploying the tracking technologies doesn’t obtain the right consent to store, transmit, and use their patients’ or customers’ personal information in the ways described, it will be in breach of the rules.

Although Kaiser has now removed the code responsible for the breach, the company must surely be asking questions about what went wrong, and so they should be, not least because incidents like these seem to happen all the time, and because they are so avoidable.

Reflectiz protection

We highlighted the dangers of forgotten tracking pixels in this case study and of misconfigured cookies in this one. In both cases Reflectiz quickly caught the problems, and it could have alerted Kaiser Permanente, too.

Had they been using the Reflectiz solution, it would have monitored the company’s entire web ecosystem, mapping every first-, third-, and fourth-party app. The system would then have monitored every event, including tracking activities by pixels and cookies, to quickly discover what data was being collected with or without permission, and issued Kaiser with priority alerts about the rogue tracking pixels. Reflectiz Continuous Web Threat Management is constantly on guard, monitoring and detecting online risks and vulnerabilities, to keep all your user data safe. For maximum peace of mind, sign up today.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free