Kaiser Permanente informed 13.4 million current and former members, as well as patients who visited its websites and mobile apps. The healthcare provider warned that certain internet monitoring technologies may have sent personal information to third-party apps.
The largest healthcare organisation in the United States, Kaiser Permanente, has 700 medical centers and 39 hospitals in several states. It has a large network that serves 12.5 million members and employs over 300,000 people, including over 87,000 doctors and nurses.
A data breach occurred when users of Kaiser’s websites and mobile applications discovered that third-party providers, including Google, Microsoft Bing, and X (previously Twitter), had access to their personal information.
Companies commonly utilise software or scripts known as “third-party trackers” to collect information about its users. These trackers collect information such as location, device type, and personal identifiers while monitoring user behaviour, including clicks, app usage, and browsing patterns.
Such data is used for a variety of purposes, including targeted advertising, analytics, and marketing. Google Analytics is a prime example, with over 13 million websites installed as of 2023.
According to Kaiser Permanente, there was a significant breach that may have exposed sensitive data. Particularly, the leaked data included search phrases in the health encyclopaedia, IP addresses, and names of users.
Furthermore, the data breach compromised information regarding a user’s interactions and navigational patterns on Kaiser Permanente’s platforms. Notably, the data exchange excluded critical identifiers such as usernames, passwords, Social Security numbers, and financial information.
Kaiser Permanente’s Reaction to Addressing Data Privacy Risks in Healthcare
Finn reported in July 2023 that federal officials had warned hospital systems and telehealth providers about risks to data privacy associated with third-party tracking technology. These services include Meta Pixel and Google Analytics.
Authorities warned that such technology might violate the Health Insurance Portability and Accountability Act (HIPAA) and Federal Trade Commission (FTC) data security standards.
In an unusual joint statement, the Office for Civil Rights at HHS and the Federal Trade Commission announced that 130 hospital systems and telehealth providers had received a letter. The letter acted as an alert to them about the threats to their data privacy and security posed by using online monitoring technologies integrated into their mobile applications or websites.
On April 12, Kaiser Permanente reported a data breach to the US Department of Health and Human Services and the California Attorney General’s Office. Kaiser Permanente found and eliminated the trackers after a voluntary internal inquiry. To ensure that such incidents don’t occur again, they have also put in place further security measures.
Kaiser Permanente also disclosed a data breach incident impacting 70,000 people in June 2022. A threat actor gained unauthorised access to a worker’s email account, which led to the breach. The exposed information included full names, medical data, dates of service, and lab test results.
Kaiser Permanente, including smaller healthcare providers, need comprehensive cybersecurity measures. It is fundamental that all healthcare organisations place a high priority on staff training, comprehensive cybersecurity policies and infrastructure, and frequent security assessments.
Healthcare providers need to set up clear communication procedures and quick reaction plans in addition to technological security measures such as advanced encryption methods and intrusion detection systems.
The processes for alerting impacted organisations, defining escalation procedures, and defining internal and external points of contact should all be included in these protocols. Maintaining patient confidence and minimising the effects of a breach need prompt identification, action, and awareness.
Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology, you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks.
