Kaiser Exposed Up To 13.4M Plan Member Records To Third Parties

Dive Brief:

• Kaiser Foundation Health Plan disclosed a data breach impacting 13.4 million current and former plan members to the federal government on Thursday. 
• The health plan said in a statement to Healthcare Dive that it may have unwittingly shared patients’ information with third-party advertisers, including Google, Microsoft and X, the company formerly known as Twitter. 
• It’s the largest data breach reported to the HHS’ Office for Civil Rights so far this year, surpassing the second largest breach by over 9.4 million individuals impacted.

Dive Insight:

The Kaiser Health Plan is one of the largest healthcare organizations in the country, with more than 12.5 million members at the end of 2023.

The health plan said it identified the breach during a routine investigation that found “certain online technologies, previously installed on its websites and mobile applications” may have transmitted health data to third-party vendors.

That information includes members’ names and IP addresses, information about whether they’re signed into a Kaiser account or service and details about how patients use the applications, including search terms used in the health encyclopedia. 

Kaiser said it will begin notifying impacted individuals about the breach. The healthcare conglomerate has already removed the tracking code from its mobile applications and website.

Kaiser has been embroiled in litigation over alleged privacy violations related to the use of its tracking technologies since last summer. 

In June, plaintiffs filed a class action lawsuit against the health plan in a U.S. district court, accusing Kaiser of revealing their confidential medical information to third parties without their consent.

The lawsuit alleges Kaiser disclosed information about medical topics researched, medical “choices made” following that research and communications with medical providers.

The breach comes amid a surge in healthcare tracking tech lawsuits filed against health companies and hospital systems. 

Primary care provider VillageMD was sued earlier this month for allegedly sharing patient data with Facebook and Google through tracking technologies. Charlotte, North Carolina-based health system Atrium Health was sued in the same week for allegedly disclosing patient data to Facebook via tracking tools.

While consumers are filing lawsuits alleging privacy protection violations, regulators are also debating the role of tracking technology in healthcare.

Nearly all hospitals used tracking tools on their websites as of 2021, and many shared visitor information with tech giants including Alphabet and Meta, according to a 2023 study in Health Affairs.

In December 2022, the HHS Office for Civil Rights issued a bulletin clarifiying HIPAA rules applied to online tracking tools. Last year, the Federal Trade Commission and HHS OCR sent letters to approximately 130 hospitals and telehealth providers warning that embedding such tools into their websites could expose patients’ personal health data to third parties. 

The American Hospital Association has pushed back against regulators’ attempts to curtail the use of tracking tech, arguing that the data offers critical insight that health systems need to improve websites and patients’ access to care. For example, tracking tools can point to where patients have trouble navigating websites or common community medical questions, the AHA said.

In November, the AHA sued the HHS over proposed restrictions on tracking technologies. 

In March, the HHS OCR updated its guidance around tracking technology to clarify that sharing website visits alone with a third party wasn’t enough to constitute a breach. However, the agency said healthcare companies could not use tracking technologies “in a manner that would result in impermissible disclosures” of personal health information to tracking technology vendors, or result in any other violations of privacy rules.