The Kaiser Foundation Health Plan (KFHP), an entity operating on behalf of Kaiser Permanente, one of the largest US healthcare providers, announced that it would notify millions of patients of a data breach. According to a notice filed with the American government on April 12, and made public on April 25, the personal data of 13.4 million people are affected. Notifications of the data breach to patients will begin in early May.
Personal data reported to Google, Microsoft and X
Advertisement
“Kaiser Permanente has determined that certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal data to third-party providers Google, Microsoft Bing and X (formerly Twitter) when members and patients accessed its sites or mobile applications”said the health consortium.
This personal data shared with third parties includes the names and IP addresses of current and former members or patients. Third-party providers were also able to see whether members were logged into a Kaiser account or service, and how members interacted on the site and apps (browsing habits, health encyclopedia searches). This data breach is the largest in 2024 for the US healthcare sector.
Kaiser Permanente confirmed that this personal data was shared with advertisers using “tracking pixels,” which typically appear as pieces of JavaScript code or HTML tags embedded in web pages. When the user visits the page in question, the code is executed, sending a request to an external server to record the action. These tools are often designed to collect personal data for analysis, and shared with marketing, advertising, and data brokers. The company says that following a voluntary internal investigation, these “tracking pixels” have been removed from websites and mobile applications.
A common tracking method in healthcare
Advertisement
Last year, e-health start-ups shared personal and health information with third parties using this method. This is the case of Cerebral, which shared “inadvertently” mental health assessments of 3.1 million patients in the United States with Facebook, Google and TikTok. Monument, an American start-up specializing in prescribing online treatments for alcohol use disorders, also shared data from more than 100,000 patients. Among these data, the answers provided by the patient on their alcohol consumption and their identity photo.
Kaiser Permanente operates 40 hospitals and more than 600 medical facilities in California, Colorado, Washington DC, Georgia, Hawaii, Maryland, Oregon and Virginia. In June 2022, the healthcare provider announced that it had been the victim of a data breach, exposing the health information of more than 69,000 patients. At the time, a cybercriminal accessed an employee's email account containing protected health data, including lab test results.
Selected for you