Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers

US health conglomerate Kaiser is notifying millions of current and former members of a data breach after confirming it shared patients’ information with third-party advertisers, including Google, Microsoft and X (formerly Twitter).

In a statement shared with TechCrunch, Kaiser said that it conducted an investigation that found”certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”

Kaiser said that the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”

Kaiser said it subsequently removed the tracking code from its websites and mobile apps.

Kaiser is the latest healthcare organization to confirm it shared patients’ personal information with third-party advertisers by means of online tracking code, often embedded in web pages and mobile apps and designed to collect information about users’ online activity for analytics. Over the past year, telehealth startups Cerebral, Monuments and Tempests have pulled tracking code from their apps that share patients’ personal and health information with advertisers.

Kaiser spokesperson Diana Yee said that the organization would begin notifying 13.4 million affected current and former members and patients who accessed its websites and mobile apps. The notifications will start in May in all markets where Kaiser Permanente operates, the spokesperson said.

The health giant also filed a legally required notice with the US government on April 12 but made public on Thursday confirming that 13.4 million residents had information exposed.

US organizations covered under the health privacy law known as HIPAA are required to notify the US Department of Health and Human Services of data breaches involving protected health information, such as medical data and patient records. Kaiser also notified California’s attorney general of the data breach, but did not provide any further details.

The Kaiser Foundation Health Plan is the parent organization of several entities that make up Kaiser Permanente, one of the largest healthcare organizations in the United States. The Kaiser Foundation Health Plan provides health insurance plans to employers and reported 12.5 million members as of the end of 2023.

The breach at Kaiser is listed on the Department of Health and Human Services’ website as the largest confirmed health-related data breach of 2024 so far.

To contact this reporter, get in touch on Signal and WhatsApp at +1 646-755-8849, or by email. You can also send files and documents via SecureDrop.