13.4M Kaiser Insurance Members Affected by Data Leak to Online Advertisers

Tracking code used for keeping tabs on how members navigated through the healthcare giant's online and mobile sites was oversharing a concerning amount of information.

Dark Reading Staff, Dark Reading

April 29, 2024

1 Min Read
Medical offices of Kaiser Permanente with name on building
Source: Wirestock, Inc. via Alamy Stock Photo

Hard on the heels of a significant data theft at UnitedHealth, fellow healthcare behemoth Kaiser Permanente publicly announced a data breach affecting 13.4 million current and former insurance members.

Kaiser's systems inadvertently shared patient data with third-party advertisers, including Google, Microsoft, and social platform X, the company said, thanks to the presence of improperly implemented tracking code that Kaiser used to see how its members navigated through its Web and mobile sites.

"Certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors," the company said in a media statement.

The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia.

Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.

"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome — an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights