Healthcare provider Kaiser Permanente has disclosed a data breach stemming from online tracking that inadvertently exposed patient information with third-party advertisers.
Kaiser Permanente is a subsidiary of the insurance giant Kaiser Foundation Health Plan, which covers over 12 million members. It operates 40 hospitals and 618 medical offices in eight states and the District of Columbia, employing over 24,000 physicians and 73,000 nurses.
According to a regulatory filing with the US Department of Health and Human Services (HHS) on April 12, the data breach impacted 13.4 million individuals who visited the company’s website and mobile apps.
Healthcare provider data breach may facilitate targeted advertising
Kaiser Permanente said the data breach stemmed from “certain online technologies” transmitting users’ information to some third-party advertising companies such as Google, Microsoft Bing, and X.
It leaked users’ names and IP addresses and could indicate whether a member or patient was signed into a Kaiser Permanente account or service.
However, the data breach did not expose usernames, passwords, social security numbers (SSNs), financial account information, or credit card numbers.
While the data breach missed critical medical and personal information, it could disclose information showing how they “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia,” the healthcare provider said.
Third-party advertisers could use this information for targeted advertising, which is highly invasive, especially when promoting products that suggest or focus on existing health conditions.
“It’s hard to gauge how bad this data breach is,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “It wasn’t malicious. It wasn’t a ransomware group exfiltrating data. It was, what looks like a mistake in understanding what type of data was transmitted to vendors and advertisers.”
“But the data did individually identify, by name, people and what they searched for and what web pages they spent time on. That’s about as bad as a data leak gets without revealing bank account numbers and passwords,” added Grimes.
Online tracking technologies removed
Kaiser Permanente said it has removed the tracking technologies installed on its websites and mobile apps to prevent further exposure and implemented additional measures recommended by security experts to prevent similar incidents in the future.
“Kaiser Permanente conducted a voluntary internal investigation into the use of these online technologies, and subsequently removed them from the websites and mobile applications,” the healthcare provider stated.
Although the healthcare provider is unaware of the leaked information being misused, it will notify all the impacted individuals.
“Out of an abundance of caution, we are informing about 13.4 million current and former members and patients who accessed our websites and mobile applications,” Kaiser Permanente said in a press statement.
Kaiser Permanente joins Cerebral, Monument, and Tempest, which exposed members’ and patients’ personal information via third-party online tracking and analytics codes.
“The presence of third-party trackers belonging to advertisers, and the over-sharing of customer information with these trackers, is a pervasive problem in both health tech and government space,” said Narayana Pappu, CEO at Zendata.
Federal regulators had previously warned 130 healthcare providers that online tracking technologies could violate healthcare data privacy laws.
According to the Federal Trade Commission (FTC), online tracking codes unavoidably interact with users and could reveal patients’ medical health conditions, diagnoses, medications, medical treatments, frequency of hospital visits, and treatment locations.
While Kaiser’s data breach stemmed from inadvertent disclosure, cybercriminals frequently target healthcare organizations to access valuable personal and protected health information they store and disrupt operations for extortion purposes.
“Successful targeting and compromise of organizations in the healthcare sector provide a gold mine for both eCrime and nation-states,” noted Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ.
Kaiser Permanente is no stranger to data breaches. In 2022, the healthcare provider suffered a data breach caused by unauthorized access to an employee’s email that affected nearly 70,000 individuals. That security breach leaked patients’ first and last names, medical record numbers, dates of service, and lab test result information.