Kaiser Permanente to Pay up to $47.5 Million to Settle Website & App Tracking Lawsuit
A settlement has been agreed to resolve a class action lawsuit against Kaiser Permanente’s health insurance division, Kaiser Foundation Health Plan, related to its use of tracking technologies on websites and mobile applications between 2017 and 2024. Kaiser has agreed to establish a $46 million settlement fund, which will potentially be increased to $47.5 million if certain conditions are met.
Kaiser conducted a voluntary internal audit in 2024 into its use of tracking tools, which had been added to various websites and applications. In April 2024, after determining that members’ data may have been impermissibly disclosed, a breach report was submitted to the Department of Health and Human Services’ Office for Civil Rights, indicating that the protected health information of up to 13.4 million members may have been impermissibly disclosed to third parties via these tools. Individual notifications were mailed to the potentially affected individuals, and several class action lawsuits were filed in response to the data breach. The lawsuits were consolidated in the U.S District Court for the Northern District of California, San Francisco division.
The consolidated lawsuit named Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Kaiser Foundation Health Plan of Washington as defendants and alleged that the tracking technologies transmitted sensitive data to Google, Microsoft, X, Quantum Metric, Adobe, and other tech firms without website users’ knowledge or consent. The information disclosed included names, IP addresses, and information related to members’ interactions with Kaiser websites and apps. The plaintiffs claimed that they suffered injuries as a result of the data breach.
The lawsuits alleged that Kaiser’s use of these tools violated the federal Electronic Communications Privacy Act, and many state laws, including the California Confidentiality of Medical Information Act, Maryland Wiretapping and Electronic Surveillance Act, Georgia Computer Systems Protection Act, District of Columbia Consumer Security Breach Notification Act, and Washington Privacy Act. In addition to alleged violations, the lawsuit asserted claims of negligence, breach of implied contract, breach of express contract, and invasion of privacy-intrusion upon seclusion.
The defendants deny any wrongdoing and disagree with the claims and contentions in the lawsuit, and also believe that the plaintiffs and class members are not entitled to the relief they seek, as they have not suffered any of the damages stated in the lawsuit. As is common in class action data breach lawsuits, the decision to settle was due to the anticipated time and cost of continuing with the litigation and the risks associated with a trial and any appeals. Class counsel and the plaintiffs agreed that the settlement is fair and is in the best interests of the class.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for April 30, 2026. Class members who submit a claim will receive an equal pro rata share of the settlement fund, after attorneys’ fees and expenses, settlement administration costs, and service awards have been deducted. The cash payments will be determined by the number of valid claims received. Class members consist of individuals who logged in to a qualifying Kaiser website, patient portal, or app between November 2017 and May 2024.
