Kaiser Foundation Health Plan Reports 13.4 Million-Record Data Breach
Kaiser Foundation Health Plan, Inc. has recently reported a major data breach to the HHS’ Office for Civil Rights (OCR) that involved the protected health information of up to 13.4 million individuals. This is the largest healthcare data breach to be reported so far in 2024, although that unwanted record is unlikely to last for long, as UnitedHealth has warned that a substantial proportion of Americans are likely to have been affected by the ransomware attack on Change Healthcare.
Like many other healthcare organizations, Kaiser added tracking technologies to its websites and apps. These tools, often referred to as pixels, provide website owners with valuable information about user interactions on their websites and apps. The problem for healthcare organizations is these tools transmit the collected data to the third-party providers of the code, and the data transferred is covered by HIPAA.
Kaiser conducted a voluntary internal investigation into the use of these tools and found that they were transferring sensitive data to tech companies such as Google, Microsoft, and X. The data transferred included member names, IP addresses, and information regarding users’ interactions on the websites and apps. If a user looked up symptoms in the health encyclopedia on the website, those search terms were transferred to the tech firms and could reveal information about an individual’s health concerns.
Kaiser confirmed that no highly sensitive information such as financial information, Social Security numbers, or usernames and passwords were involved, and there have been no reported instances of misuse of the transferred data. Out of an abundance of caution, notifications are being sent to all individuals who used the websites and apps while the tracking tools were installed. Kaiser said the incident affects members in all markets that Kaiser Permanente operates, and that notifications are likely to be sent in May 2024. Kaiser has removed the tracking tools from its websites and apps and has implemented additional safeguards to prevent similar incidents in the future.
Regulators have been cracking down on the use of these tools. The HHS’ Office for Civil Rights recently updated its guidance on the use of tracking technologies and HIPAA obligations and confirmed that a patient’s or health plan member’s IP address does constitute PHI and therefore can only be transferred to a third party if that third party is a business associate that has signed a business associate agreement or if a HIPAA authorization is obtained from patients/members. The American Hospital Association (AHA) has filed a lawsuit against the HHS over its guidance to try to get the it rescinded.
The Federal Trade Commission (FTC) has taken action against several telehealth companies over their use of these tools, including Monument, BetterHelp, Cerebral, and Easy Healthcare for alleged violations of the FTC Act – misrepresenting data privacy and security and disclosing sensitive data to third parties for advertising purposes. Many lawsuits have been filed against healthcare organizations over these disclosures. According to BakerHostetler, more than 200 lawsuits have been filed over the use of these tools on healthcare websites and apps, 75% of which were filed in 2023.
