Kaiser data breach incidents: what patients should know about the HIPAA violation

Kaiser Permanente, a non-profit healthcare and health insurance provider operating in eight states and the District of Columbia, recently suffered two sizable cybersecurity incidents. 

In 2023, third-party tracking technologies collected sensitive data of approximately 13.4 million Kaiser website and mobile app users without their consent. Next year, sensitive data of approximately 44,000 Kaiser customers was compromised in an email data breach. 

Both of these incidents triggered HIPAA concerns and potentially violated some federal and state laws. Legal action followed, including mass arbitration efforts and a class action lawsuit. 

This article will break down each Kaiser data breach and discuss the legal implications, including the potential Kaiser HIPAA violation. We will also guide you on what steps to take after a healthcare data breach incident.

Kaiser data breach 2023: what happened?

In 2023, Kaiser Permanente revealed that third-party tracking technologies operating on its websites and mobile apps transmitted some personal information of approximately 13.4 million users from Kaiser’s websites and mobile apps to third-party vendors. 

What technologies and tracking tools were used?

Various technologies and tracking tools were operating in the back of Kaiser Permanente’s digital platforms:

• Google Analytics
• Google Ads
• Microsoft Bing Ads
• Meta Pixel
• X

These technologies use cookies, pixels, and more to analyze how users interact with a website and create targeted advertising strategies. 

What data was involved?

The tracking tools collected interaction data and certain personal information, including:

• IP addresses
• Names
• Whether a user was signed into their Kaiser Permanente account 
• How a user navigated through the website or mobile app
• Search terms used within the health encyclopedia

Medical records, financial data, and government-identifiable information, like Social Security numbers (SSNs), were not exposed. Kaiser Permanente noted that so far, there are no indicators of the data being misused. 

How was the data collected and shared?

Imagine logging in to your Kaiser patient profile, looking up “depression treatment”, and clicking on pages that offer information or list nearby therapists. 

With tracking tools installed on the Kaiser Permanente platforms, that information would be sent to third-party vendors like Google, Meta, Microsoft, and X. 

Next, you might start seeing ads for online therapy on Facebook or Instagram, although you never looked up anything mental health-related on these platforms. 

Who was affected?

The privacy incident impacted approximately 13.4 million individuals who used Kaiser Permanente’s digital platform.

The most exposed were the patients who logged into their accounts, as tracking tools may have captured scheduled appointments or specific care pages they accessed. 

When and how was the breach disclosed?

Kaiser Permanente conducted a voluntary internal investigation on its use of third-party technologies. The breach was discovered on October 25, 2023. On May 6, 2024, Kaiser issued a public notice on its website and started sending out data breach notifications to potentially affected customers.

How did Kaiser Permanente respond?

Kaiser Permanente removed third-party tracking tools from its digital platforms and implemented additional security measures to prevent similar incidents in the future. 

Kaiser data breach 2024: how did the incident occur?

On September 3, 2024, Kaiser Permanente discovered that its email systems had been breached. In August and September 2024, cybercriminals accessed two employee email accounts through a phishing attack, compromising sensitive information of approximately 44,000 individuals.

What patient data was exposed?

The incident may have exposed the following sensitive patient information:

• Full names
• Dates of birth
• Medical record numbers 
• Information related to medical treatment and care

No SSNs or financial information was compromised. 

What did Kaiser Permanente do?

Kaiser Permanente disabled the breached email accounts and conducted a forensic investigation. On November 1, 2024, they also started sending out data breach notices to affected patients, offering them call center support. 

The healthcare organization stated that there is currently no evidence of the exposed data being misused.

HIPAA regulations and Kaiser data breaches: was there a violation?

Overview of what HIPAA protects

The Health Insurance Portability and Accountability Act (HIPAA) ensures the protection of any health-related information that could be used to identify a patient and their medical status, also known as individually identifiable health information.

This includes both personally identifiable information (PII) and protected health information (PHI). If an identifier is combined with a person’s health info, it is protected under HIPAA.

Specifically, HIPAA protects: 

• Full names
• DOBs
• Street and email addresses 
• Phone numbers
• SSNs, government-issued ID and passport numbers, driver’s license numbers
• Medical record numbers
• Appointment dates and times
• Diagnoses
• Lab or test results
• Treatment details
• Claims and billing details
• Any other health-related information that could be tied to an individual

How can tracking tools trigger a HIPAA violation? In the digital space, PII can also be an IP address, login user status, or account IDs, as they can be traced back to an individual. The URLs visited, such as pages about mental health or cancer treatment, could also be considered PHI. 

2022 and 2024 Federal guidance on tracking tools

The Office for Civil Rights (OCR), part of the U.S. Department of Health and Human Services (HHS), is the main federal agency responsible for enforcing HIPAA. In December 2022, it issued a bulletin stating that tracking technologies incorporated on health-related websites can violate HIPAA by collecting and transmitting PHI to third parties without patient consent.

The Federal Trade Commission (FTC), a U.S. government agency responsible for protecting consumers and ensuring fair business practices, further enforced the OCR guidance in 2023 and 2024 by penalizing certain digital health platforms. 

In 2024, the OCR and FTC jointly restated that even de-identified or inferred digital health data (such as looking up depression treatment) could violate HIPAA if shared without user consent for marketing purposes.

Were Kaiser’s 2023 and 2024 breaches a HIPAA violation? 

HIPAA requires health organizations to limit PHI access to the minimum necessary, obtain patient consent before sharing PHI for advertising, and protect PHI from unauthorized use or disclosure by implementing appropriate security measures. 

As Kaiser used tracking technologies to collect sensitive patient data without obtaining clear patient consent, the 2023 breach could be seen as a HIPAA violation. The 2024 breach also raises HIPAA concerns, as the health organization failed to protect sensitive patient data. Still, the outcomes of regulatory and legal investigations are pending.

Past FTC enforcement actions: GoodRx, BetterHelp, and Cerebral

The FTC has recently carried out enforcement actions against a few other health platforms that violated HIPAA: 

• GoodRx allegedly shared patient prescription-related data with third parties like Facebook and Google without patient consent. They were ordered by the FTC to pay a civil penalty of $1.5 million. 
• Better Health was accused of sharing their users’ mental health questionnaire responses, email, and IP addresses with Facebook and Snapchat for marketing purposes, while ensuring privacy. They were fined $7.8 million. 
• Cerebral self-reportedly shared sensitive mental health data of over 3 million users with platforms like Meta and TikTok. They were ordered to pay a $7 million penalty. 

Legal consequences and patient lawsuits 

Arbitration vs litigation 

Cybersecurity incidents affecting a large number of people often end up entangled in legal processes: lawsuits or arbitration. There are a few important differences between the two:

• While litigation is a strict, legal process of resolving a dispute in court, arbitration is a conflict resolution method that takes place outside of court, often in a private setting.
• A Judge determines the outcome of a lawsuit, and arbitration is handled by a neutral third-party arbitrator. 
• You can appeal the decision of the Judge, but the arbitration outcome is usually non-appealable.

Arbitration is often cheaper, faster, and more private than litigation, hence, some companies, including Kaiser Permanente, require customers to resolve disputes this way. Only if arbitration is not part of your Agreement with Kaiser or if your claim falls outside of its scope, you might be able to join a class action. 

Class action and arbitration efforts

Lawyers working with the online platform ClassAction.org are gathering information about the 2023 Kaiser Permanente data breach for a mass arbitration case against the healthcare organization.

Simultaneously, attorneys at Labaton Keller Sucharow are pursuing arbitration claims against Kaiser Permanente for violating federal and state wiretapping and medical information privacy law, which award damages of up to $5,000.

A class action lawsuit, Doe v. Kaiser Foundation Health Plan, Inc., was filed on May 5, 2023, in the Northern District of California. The lawsuit, which accused Kaiser Permanente of sharing customers’ sensitive information with third parties without consent and violating federal and state laws, was voluntarily dismissed on February 20, 2024.

Another class action may be under way, as the attorneys collaborating with ClassAction.org keep gathering information about the 2024 email data breach.

How to join an arbitration or a lawsuit

You could join mass arbitration efforts or a class action lawsuit against Kaiser Permanente if you’ve received an official breach notification letter.

It’s best to consult with a lawyer that can help you assess your claim and get informed about the ongoing litigation or arbitration efforts against Kaiser. You can also fill out an online form at ClassAction.org and get in touch with a licensed attorney who is gathering information about the Kaiser data breaches.  

Steps to take after a healthcare data incident

Monitor communication from Kaiser

If you think you might have been impacted by Kaiser data breaches, go through your email inbox and physical mailbox for official emails or letters from Kaiser Permanente.

Review online health portal activity

Log in to your Kaiser Permanente health portal account and look for unusual activity, such as new appointment bookings or prescription orders. If you notice anything suspicious, report it to Kaiser immediately.

Scan credit card and bank statements for unknown charges

Although the Kaiser Permanente data breaches didn’t expose any financial information, be sure to check your credit card and bank statements for unauthorized charges you might have missed. 

Put a fraud alert on your credit reports

A fraud alert on your credit report notifies potential creditors to take extra precautions when verifying your identity and approving new credit. You can place a fraud alert by contacting any of the three major credit reporting agencies (Experian, Equifax, or TransUnion), and they will notify the other two for you. Once you set up a fraud alert, you can get a free copy of your credit report from each agency.

Contact the FTC if necessary

If you believe your personal information has been misused, be sure to report the incident directly to the FTC by submitting an Identity Theft report. The report can be filed online, by phone, or by email. 

File a police report

In addition to contacting the FTC, don’t forget to file a police report about the incident. Although the local police may not be able to assist you with online ID theft, you will have a paper trail of reporting the incident, and potentially help with local investigations of data theft that is happening within their jurisdiction. 

Protect your SSN

If you believe your SSN may have been compromised, proactively reach out to the Social Security Administration (800-269-0271) and the Internal Revenue Service (800-829-0433), even if there is no evidence. This will flag your records for potential misuse and help prevent ID theft or tax fraud

Take preventive steps going forward

There is no guarantee against ID theft, but you can still take proactive steps to protect your sensitive data:

• Update your login credentials regularly with unique and strong passwords.
• Be mindful of what you share on social networks and keep personal information, such as your street address and phone number, private.
• Don’t ever reveal information that might be part of your online security questions, like your first pet’s name or your mother’s maiden name.
• Shred documents containing personal information when discarding them
• Avoid carrying your Social Security card in your wallet. 

FAQs

Was Kaiser hacked or was this a data-sharing issue?

In 2023, Kaiser Permanente experienced a data-sharing incident that involved third-party tracking tools collecting sensitive information of its digital platform users. There was no hacking involved. 

A phishing attack led to the 2024 data breach incident. The email accounts of two employees were hacked, exposing sensitive information of Kaiser Permanente customers.

What kind of personal data was exposed in the Kaiser breach?

The 2023 data breach may have exposed the users’ names, IP addresses, account sign-in status, website and app interactions and navigation details, and search terms entered into Kaiser’s health encyclopedia. 

The 2024 email data breach may have exposed the patients’ names, DOBs, medical record numbers, and other medical information.

SSNs and financial information were not exposed.

Is this considered a HIPAA violation?

Yes, the 2023 Kaiser Permanente data breach could be considered a HIPAA violation, but the investigation is still ongoing. The 2024 email breach also raises HIPAA concerns, but it is more likely to predominantly violate other federal and state laws. 

Can I join a lawsuit against Kaiser Permanente?

If you have received an official data breach notice from Kaiser Permanente, you might be able to join a lawsuit. It would be best to consult a legal representative investigating the Kaiser breaches to discuss the specifics of your situation.

Should I stop using the Kaiser patient portal?

Kaiser Permanente has disabled third-party trackers and improved its cybersecurity protocols. Although there is no reason to fear using the patient portal now, we understand why some users might not feel comfortable with the idea.