Breach Notification
,
Governance & Risk Management
,
Healthcare
Incident Involves Health Plans’ Prior Use of Online Tech in Websites, Mobile Apps
Kaiser Foundation Health Plan has reported to federal regulators a health data breach affecting 13.4 million individuals involving “unauthorized access/disclosure” stemming from the insurer’s previous use of online tracking technologies on its websites and mobile applications.
See Also: Embracing Digital Risk Protection: Take Your Threat Intelligence to the Next Level
In addition to the report filed on April 12 to the U.S. Department of Health and Human Services’ Office for Civil Rights, Kaiser also reported the incident on that same day to California’s attorney general.
In a statement provided to Information Security Media Group Thursday afternoon, Kaiser Permanente said the breach involved the organization’s recent determination that certain online technologies previously installed on its websites and mobile applications, “may have transmitted personal information to third-party vendors Google, Microsoft Bing and X (Twitter) when members and patients accessed its websites or mobile applications.”
Kaiser Permanente said the information potentially included IP address, name, information that could indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.
No usernames, passwords, Social Security numbers, financial account information or credit card numbers were included in the transmission to these third parties, the organization said.
“Kaiser Permanente conducted a voluntary internal investigation into the use of these online technologies and subsequently removed them from the websites and mobile applications,” the statement says. “In addition, Kaiser Permanente has implemented additional measures with the guidance of experts designed to safeguard against recurrence of this type of incident.”
Kaiser Permanente said it is not aware of any misuse of any members’ or patients’ personal information. “Nevertheless, out of an abundance of caution, we are informing approximately 13.4 million current and former members and patients who accessed our websites and mobile applications. We apologize that this incident occurred.”
Kaiser Permanente says it is one of nation’s largest not-for-profit health plans, serving 12.5 million members. A spokeswoman said the incident affects members in all markets where Kaiser Permanente operates and that affected individuals will be notified directly in May.
The Kaiser Permanente breach notification comes as both HHS OCR and the Federal Trade Commission have been heavily scrutinizing the use of web tracking tools in health-related websites and mobile apps. The FTC has issued several enforcement actions about telehealth companies related to their use of web trackers.
HHS OCR has released guidance materials that warn about potential HIPAA violations related to online trackers, but it has yet to issue an enforcement action in any web tracking cases (see: Tracker Backtrack: Feds Revise HIPAA Guidance on Web Tools).
HHS OCR and the FTC last year sent 130 hospitals and telehealth firms letters warning about their use of web trackers (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
As of Thursday, the Kaiser Foundation incident is by far the largest health data breach posted so far in 2024 on the HHS OCR HIPAA Breach Reporting Tool website.
But that distinction could be short-lived. Forthcoming breach reports expected to be filed to regulators involving the cyberattack on UnitedHealth Group’s Change Healthcare units could affect tens of millions of individuals. UnitedHealth Group said Monday that the Change Healthcare incident appears to have affected “a substantial portion” of the American population, which exceeds 300 million individuals (see: Change Health Attack: Details Emerge; Breach Will Top Record).