In April, Kaiser Permanente disclosed they had faced a large data breach in 2023. Now, as more details roll in and the lawsuits pile up, Cloudticity takes a look at what happened and what’s next for Kaiser.
The Big Picture
Kaiser Permanente, based out of Oakland, California, is an American integrated managed care consortium with hospitals and care centers across the United States. As one of the largest healthcare organizations in the US, they currently operate 40 hospitals and 618 other medical facilities.
Kaiser is different from other care providers in that their system is widely interconnected, allowing patients to quickly see specialists under Kaiser Permanente, rather than having to be referred outside of the managed care unit.
The company has been operating since 1945 and has built a strong reputation for providing care.
In late April, however, Kaiser Permanente experienced a massive data breach that impacted up to 13.4 million customers. The breach was allegedly caused by the use of online technologies that could have potentially transmitted personal information to third-party vendors.
How It Started
The debate around online tracking technologies is far from new; in 2023 a study revealed that nearly 98% of hospitals used tracking software on their website. At first glance, these software may seem benign, but they can pick up on private health information related to the patient or what they may be seeking treatment for.
There have been significant disagreements over whether tracking technologies are ethical alongside logistical concerns for removing them. Many companies outsource website operational tasks to third parties like Meta and Google. These companies go on to embed the website with their tracking technology, which, over time, collects data from customers who use the website.
It remains unclear exactly how this data may be used, but it’s possible that companies could use it for marketing purposes, which would constitute a HIPAA violation.
Since the 2023 report came out, the Department of Health and Human Services (HHS) has been encouraging hospitals to stop using pixels. As of March 2024, the official stance from the HHS is that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
Despite the HHS’ guidance, hospitals haven’t necessarily been quick to stop using them. Many have found difficulties in transitioning away from tracking technologies, as it could mean no longer using the third-party service they are connected to.
Kaiser and Tracking Technology
Overall, Kaiser Permanente has remained fairly tight-lipped about the situation. According to one source, the tracking pixels leaked data to Microsoft, Google, and the social media platform X.
In late April, Kaiser said in a statement they had conducted an investigation that found “certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors.”
Kaiser shared that disclosed information included member names and IP addresses as well as how members “interacted with and navigated through the website and mobile applications; and search terms used in the health encyclopedia.”
Kaiser said they have removed the tracking code from its websites and mobile apps. When navigating to Kaiser Permanente’s website, users do receive a privacy notice stating, “Kaiser Permanente uses web tracking technologies on this site and may share such data with its third parties to enhance your experience and optimize our ability to make users aware of our services. By navigating the site, you agree to the use of the web technologies as described in our Privacy Statement.”
Building Repercussions
Kaiser has already begun sending out notifications to the 13.4 million impacted members who accessed their website on a mobile device or through a browser. Impacted individuals include both current and past Kaiser members who should receive notices throughout May.
The breach has been listed in the OCR as “under investigation,” which is common when a breach is first reported.
The breach resulted in Kaiser being forced to change their website code, but other repercussions could have an even larger impact. Kaiser is currently facing multiple lawsuits regarding privacy protections.
One lawsuit, which was filed before the breach was recorded by the OCR, alleges that Kaiser wrongly shared personal health information including appointment scheduling, medical test results, prescription orders, and more with third parties. Many other firms are currently gathering information and could potentially file a separate suit.
What the Experts Said
Many healthcare organizations have expressed frustration regarding the HHS’ decision to prohibit the use of tracking technologies. In a press release from the American Hospital Association, the general counsel and secretary, Chad Golder, said that the updated release from the HHS remained flawed. “Unfortunately, the modified Bulletin suffers from the same basic substantive and procedural defects as the original one, and the agency cannot rely on these cosmetic changes to evade judicial review. The modified rule will continue to chill hospitals’ use of commonplace technologies that allow them to effectively reach patients in need.”
Kaiser’s breach disclosure and efforts to remedy the situation could point to a changing tide in how hospitals handle the HHS’ announcement. If others follow suit, we may begin to see an increase in reported breaches related to tracking.
How Cloudticity Can Help
Cloudticity is the best in the business when it comes to Managed Security for Healthcare. As a HITRUST-certified organization, we understand and stay up to date with healthcare security challenges and best practices.
We’ve been operating since 2011 and have never experienced a breach. Our solution includes expert cloud architects who design and manage client systems, along with our advanced technology platform and proven processes, that keep healthcare data safe in the cloud.
Learn more about how Cloudticity can help you address critical cybersecurity challenges. Reach out today for a free consultation.