Healthcare service provider Kaiser Permanente disclosed a data security incident that may impact 13.4 million people in the United States.
Kaiser Permanente is an integrated managed care consortium and one of the largest nonprofit health plans in the U.S.
It operates 40 hospitals and 618 medical facilities in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington.
In a statement to BleepingComputer, the organization said that information from “approximately 13.4 million current and former members and patients” was leaked to third-party trackers installed on its websites and mobile applications.
“Kaiser Permanente has determined that certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter) when members and patients accessed its websites or mobile applications” – Kaiser Permanente
The spokesperson clarified that the data may include IP addresses, names, information that could indicate a member or patient was signed into a Kaiser Permanente account or service, details showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.
Typically, information collected by online trackers is shared with an extensive network of marketers, advertisers, and data brokers.
The statement highlights that the data exposed this way does not include usernames, passwords, Social Security Numbers (SSNs), financial account information, or credit card numbers.
Kaiser Permanente says the trackers were discovered and removed following a voluntary internal investigation, while additional measures to prevent the recurrence of similar incidents have been implemented now.
Although the organization is not aware of cases of misuse of the exposed information, it will notify individuals who accessed its sites and used its mobile apps out of an abundance of caution.
In June 2022, Kaiser Permanente disclosed a data breach that exposed the health information of 69,000 people caused by unauthorized access to an employee’s email account by an external actor.
The data exposed at the time included full names, medical records, dates of service, and lab test results information.