Get updates delivered to you daily. Free and customizable.
San Francisco Examiner
Kaiser waited five months to disclose massive data leak
By Troy_WolvertonExaminer File,
2024-06-17
Kaiser Permanente in April acknowledged a breach that might have leaked the personal data of 13.4 million of its customers to Google, Microsoft and X. Examiner File
Kaiser Permanente became aware of the data leak that potentially exposed the personal information of 13.4 million customers months earlier than the health-care giant had previously indicated — and told customers and regulators about it months after it was legally required to do so.
However, it reported the leak — which regulators officially consider a data breach — to the U.S. Department of Health and Human Services and California Attorney General Rob Bonta’s office on April 12. Because HHS requires health-care organizations to report breaches within 60 days of discovering them, that timing suggested that Kaiser discovered the leak in February.
Now, though, it’s apparent that Kaiser didn’t report the breach to regulators until more than five months after it discovered the trackers and didn’t notify customers until more than six months had passed.
“I’m really troubled by this notification delay. It’s really problematic,” said Pam Dixon, executive director of the World Privacy Forum, a public interest group. “People need to know when their health data is breached.”
Kaiser spokeswoman Kathleen Chambers declined to say why the organization took longer than 60 days to notify regulators and customers about the breach or what spurred it to launch the investigation that discovered it. Instead, in response to emailed questions, Chambers sent over the same statement the health-care giant released in April, acknowledging the breach but offering no details on when or how Kaiser discovered it or what prompted its investigation.
In that statement, Kaiser said that it potentially transmitted customers’ names and IP addresses, the terms they used to search its encyclopedia of health terms, data indicating whether they were signed into the organization’s websites or apps, and how they navigated those websites or apps to the three companies.
In its notifications about the breach, Kaiser appeared to play down the seriousness of the incident. The organization referred to the affected data simply as “personal information” and said that patients’ financial information, Social Security numbers and credit-card numbers weren’t compromised.
“Kaiser Permanente is not aware of any misuse of your information,” it said in its notification to patients last month.
But under HHS rules, any patient data held by a health-care organization is considered to be protected health information, and providers are legally required to safeguard it, Dixon said.
For about 20 years, the agency has also barred health-care providers from using such patient information for marketing purposes without patients’ consent, said Deven McGraw, the chief regulatory and privacy officer of Ciitizen Health, a San Francisco-based company that helps people collect their medical information and share it with their providers.
While Kaiser hasn’t disclosed the purpose of the trackers used on its websites and apps, such technologies are typically used to collect data to target advertisements to individuals. The kind of information exposed in its leak could be used to infer particular patients’ locations and medical conditions.
As a health-care provider’s patients dive deeper into its website or an app, if there are trackers, “you run a very big risk that the data you’re sending to advertisers is [protected health information],” said McGraw, a former deputy director for health information privacy at HHS’s Office for Civil Rights.
It’s possible that in the past, many compliance officers at health-care organizations such as Kaiser didn’t know their websites had trackers or didn’t realize those trackers could collect protected patient information, McGraw said. But a series of class-action lawsuits have been filed in recent years, charging that certain health-care providers disclosed patient information without their consent via tracking technologies .
Kaiser representatives have said that the lawsuit against Microsoft and Qualtrics didn’t prompt their investigation into the use of tracking technologies on the organization’s websites and apps.
Even with the new information from Kaiser about when it discovered the leak, the organization still hasn’t said how long the trackers were in place. It could be a while before any such information is made public.
Because HHS has yet to conclude any of its investigations into the use of trackers, it’s unclear how it will handle cases such as Kaiser’s, said Iliana Peters, a former acting deputy director of data privacy at the agency. But the agency’s Office of Civil Rights, which handles privacy issues, is clearly focused on and prioritizing the issue, she said.
“I have clients with ongoing [tracking-related] investigations,” she said. “We are very aware that OCR opened many investigations after publication of [the tracking] guidance.”
Get updates delivered to you daily. Free and customizable.
Welcome to NewsBreak, an open platform where diverse perspectives converge. Most of our content comes from established publications and journalists, as well as from our extensive network of tens of thousands of creators who contribute to our platform. We empower individuals to share insightful viewpoints through short posts and comments. It’s essential to note our commitment to transparency: our Terms of Use acknowledge that our services may not always be error-free, and our Community Standards emphasize our discretion in enforcing policies. We strive to foster a dynamic environment for free expression and robust discourse through safety guardrails of human and AI moderation. Join us in shaping the news narrative together.
Comments / 0