Kaiser Permanente, the Oakland-based health care conglomerate, is warning millions of customers that one of its divisions may have exposed their names, symptom searches and other data to major tech companies.
Kaiser Foundation Health Plan Inc. disclosed the data breach to the U.S. Department of Health and Human Services on April 12. TechCrunch first reported the news.
Kaiser told SFGATE in a statement on Thursday that “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter).”
Kaiser plans to notify 13.4 million people about the breach, and said the notifications are “out of an abundance of caution.” That huge number includes “current and former members and patients who accessed our websites and mobile applications,” the company said. Kaiser did not immediately respond to SFGATE’s question about the time frame of the breach.
Any of the 13.4 million people may have had their personal information transmitted to the tech companies, but it isn’t clear what share of that number actually did. The incident makes Kaiser’s the biggest health-related breach of the year, per the HHS’ breach portal.
Though the personal information didn’t include passwords, Social Security numbers or credit card information, per Kaiser, the tech giants reportedly had the chance to hoover up a swath of other data. The health care company’s statement to SFGATE said the breach may have included patients’ names, IP addresses, sign-in statuses and how they navigated through Kaiser’s website and mobile apps.
Kaiser also said “search terms used in the health encyclopedia” may have been disclosed. The company has a search engine for looking up symptoms, drugs, injuries and exercises, so the tech companies, which often use personal data to target ads, may have seen Kaiser patients’ medical concerns.
In the statement, the health care giant said it is not aware of any misuse of any member’s or patient’s personal information. Kaiser added: “We apologize that this incident occurred.”
The technology to blame for the breach has been removed from Kaiser’s websites and apps, the company said. It’s likely that tracking software, which is often embedded in the code of websites for user analytics, allowed the tech companies that send traffic around the internet to see who Kaiser patients were and what they were doing.
As TechCrunch reported in 2023, health care companies have to be particularly careful about tracking software on their websites because of potential violations of privacy laws.
The HHS Office for Civil Rights is investigating Kaiser’s breach and dozens of others disclosed this year by health care providers, per the office’s breach portal.
(c)2024 SFGate, San Francisco. Distributed by Tribune Content Agency, LLC.
