Millions of Kaiser Permanente patients' data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant.
Kaiser told The Register it has started notifying 13.4 million current and former members and patients that "certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," when customers used its websites and mobile applications.
Kaiser has since removed that tech from its websites and apps, and said it is not aware of "any misuse of any member's or patient's personal information."
In other words, this seems to be the result of Kaiser placing user tracking and analytics tools, offered by Big Tech and advertising brokers, on its websites and apps, and only realizing now what information exactly was being transmitted by that code when people visited and used those sites and applications.
The tech world has come come under fire for allowing this kind of thing to happen – collecting information for advertising and tracking purposes – especially when it involves health-related data and services. A bunch of UK and US government websites were found this week carrying ad-tech that pinged advertising exchanges when visitors dropped by.
Earlier this month, as spotted by TechCrunch, Kaiser Permanente formally disclosed to the US Department of Health and Human Services that it had caused a security snafu.
Screenshot from the US Department of Health and Human Services security breach portal, showing Kaiser's 13.4M leak disclosure
The information given to third parties includes individuals' "IP address, name, information that could indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website, and mobile applications, and search terms used in the health encyclopedia," according to Kaiser's statement to us.
Kaiser emphasized no usernames, passwords, Social Security numbers, financial account information, or credit card numbers were shared with the third parties. So while super sensitive information wasn't leaked, having health knowledge base search terms and site usage handed over isn't terribly great.
"Kaiser Permanente conducted a voluntary internal investigation into the use of these online technologies, and subsequently removed them from the websites and mobile applications," the Oakland, California-based consortium said in its statement. "In addition, Kaiser Permanente has implemented additional measures with the guidance of experts designed to safeguard against recurrence of this type of incident."
- 96% of US hospital websites share visitor info with Meta, Google, data brokers
- Ignore Uncle Sam's 'voluntary' cybersecurity goals for hospitals at your peril
- UnitedHealth admits IT security breach could 'cover substantial proportion of people in America'
- Ransomware feared as IT 'issues' force Octapharma Plasma to close 150+ centers
The health care and coverage super-group, one of the largest in the US, has 12.5 million members across 10 states with 40 hospitals and 618 medical offices. It employs 24,600 physicians, 73,600 nurses, and 235,000 other employees.
This disclosure comes as research published earlier this month revealed American hospitals regularly use tracking technologies on their websites that pass user information to Google, Meta, data brokers, and other third parties.
Academics at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals and found 96 percent of their websites transmitted user data to third parties.
Plus, not all of the websites had a privacy policy. Of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information. ®