Kaiser waited five months to disclose massive data leak

Kaiser Permanente became aware of the data leak that potentially exposed the personal information of 13.4 million customers months earlier than the health-care giant had previously indicated — and told customers and regulators about it months after it was legally required to do so.

In a letter to customers dated May 31, Kaiser said it “determined” on Oct. 25 that it might have been transmitting customer data to Google, Microsoft and X via tracking technologies on its websites and mobile apps . The Oakland-based health-care giant hadn’t previously given a date for when it discovered the data leak.

However, it reported the leak — which regulators officially consider a data breach — to the U.S. Department of Health and Human Services and California Attorney General Rob Bonta’s office on April 12. Because HHS requires health-care organizations to report breaches within 60 days of discovering them, that timing suggested that Kaiser discovered the leak in February.

Now, though, it’s apparent that Kaiser didn’t report the breach to regulators until more than five months after it discovered the trackers and didn’t notify customers until more than six months had passed.

“I’m really troubled by this notification delay. It’s really problematic,” said Pam Dixon, executive director of the World Privacy Forum, a public interest group. “People need to know when their health data is breached.”

Kaiser spokeswoman Kathleen Chambers declined to say why the organization took longer than 60 days to notify regulators and customers about the breach or what spurred it to launch the investigation that discovered it. Instead, in response to emailed questions, Chambers sent over the same statement the health-care giant released in April, acknowledging the breach but offering no details on when or how Kaiser discovered it or what prompted its investigation.

In that statement, Kaiser said that it potentially transmitted customers’ names and IP addresses, the terms they used to search its encyclopedia of health terms, data indicating whether they were signed into the organization’s websites or apps, and how they navigated those websites or apps to the three companies.

In its notifications about the breach, Kaiser appeared to play down the seriousness of the incident. The organization referred to the affected data simply as “personal information” and said that patients’ financial information, Social Security numbers and credit-card numbers weren’t compromised.

“Kaiser Permanente is not aware of any misuse of your information,” it said in its notification to patients last month.

But under HHS rules, any patient data held by a health-care organization is considered to be protected health information, and providers are legally required to safeguard it, Dixon said.

For about 20 years, the agency has also barred health-care providers from using such patient information for marketing purposes without patients’ consent, said Deven McGraw, the chief regulatory and privacy officer of Ciitizen Health, a San Francisco-based company that helps people collect their medical information and share it with their providers.

While Kaiser hasn’t disclosed the purpose of the trackers used on its websites and apps, such technologies are typically used to collect data to target advertisements to individuals. The kind of information exposed in its leak could be used to infer particular patients’ locations and medical conditions.

As a health-care provider’s patients dive deeper into its website or an app, if there are trackers, “you run a very big risk that the data you’re sending to advertisers is [protected health information],” said McGraw, a former deputy director for health information privacy at HHS’s Office for Civil Rights.

It’s possible that in the past, many compliance officers at health-care organizations such as Kaiser didn’t know their websites had trackers or didn’t realize those trackers could collect protected patient information, McGraw said. But a series of class-action lawsuits have been filed in recent years, charging that certain health-care providers disclosed patient information without their consent via tracking technologies .

One such case was filed against Microsoft and online marketing firm Qualtrics in May 2023 regarding trackers allegedly used by Kaiser.

Meanwhile, HHS put health-care providers on notice in December 2022 that trackers on their websites and apps could violate the Health Insurance Portability and Accountability Act , a federal law passed in 1996 that was intended in part to establish guidelines regarding protection of customers’ personal information for the industry. The agency updated and reiterated that guidance in July and again in March .

Kaiser representatives have said that the lawsuit against Microsoft and Qualtrics didn’t prompt their investigation into the use of tracking technologies on the organization’s websites and apps.

Even with the new information from Kaiser about when it discovered the leak, the organization still hasn’t said how long the trackers were in place. It could be a while before any such information is made public.

Because HHS has yet to conclude any of its investigations into the use of trackers, it’s unclear how it will handle cases such as Kaiser’s, said Iliana Peters, a former acting deputy director of data privacy at the agency. But the agency’s Office of Civil Rights, which handles privacy issues, is clearly focused on and prioritizing the issue, she said.

“I have clients with ongoing [tracking-related] investigations,” she said. “We are very aware that OCR opened many investigations after publication of [the tracking] guidance.”