Kaiser Permanente data breach may have impacted 13.4 million patients
April 26, 2024
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals in the United States.
Kaiser Permanente is an American integrated managed care consortium, it is made up of three distinct but interdependent groups of entities: the Kaiser Foundation Health Plan, Inc. (KFHP) and its regional operating subsidiaries; Kaiser Foundation Hospitals; and the regional Permanente Medical Groups.
The health giant operates 39 hospitals and more than 700 medical offices, with over 300,000 personnel, including more than 87,000 physicians and nurses.
It operates in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington.
Media reported [1, 2] that the company is notifying millions of current and former members of a data breach. TechCrunch reported that the company confirmed it shared patients’ information with third-party organizations, including Google, Microsoft and X, for advertising purposes.
Shared data include names, IP addresses, and information about members’ operations on the company website and mobile apps. This included search terms used in their health encyclopedia. Kaiser Permanente later removed the tracking code from their platforms. Exposed data does not include usernames, passwords, Social Security Numbers (SSNs), and financial data.
In a notice filed with the US government, the integrated managed care consortium disclosed a data breach impacting 13.4 million residents.
Kaiser Permanente is not aware of any misuse of the exposed information.
In June 2022, Kaiser Permanente disclosed another data breach that exposed the health information of 69,000 people. The company revealed that threat actors gained access to an employee’s emails at the Kaiser Foundation Health Plan of Washington.
The exposed data included names, medical records, dates of service, and lab test results.
Pierluigi Paganini
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data breach)