Kaiser Permanente notifies 13.4 million members of data breach

Health insurance giant Kaiser Permanente has apologized to 13.4 million of its members because some of their search information may have been inadvertently transmitted to Google, other search engines and media platforms.

The Oakland-based company reported that “certain online technologies” previously installed on Kaiser Permanente’s websites and apps transmitted information such as medical terms that members searched for on the company’s website to Google, Microsoft Bing and X, the former social media platform. known as Twitter, the company said in a statement to its members on April 12 and shared with The Times on Friday.

Kaiser Permanente is one of the nation’s largest private, nonprofit health care organizations, with 40 hospitals, 618 physician offices, more than 24,000 doctors and 73,000 nurses, according to the company’s website.

No usernames, passwords, social security numbers, financial account information or credit card numbers were shared with these platforms, the company said.

Information that may have been shared includes the unique Internet address that identifies a person’s computer on a network, commonly called an IP address. User names may also have been transmitted and “information that could indicate that a member or patient has been connected to a Kaiser Permanente account or service, information showing how a member or patient has interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia,” according to the release.

The company said the “online technologies” causing the unauthorized transmission had been removed from its websites and mobile applications.

“Kaiser Permanente is not aware of any misuse of any member or patient’s personal information,” the company said in its statement. “Nevertheless, out of an abundance of caution, we are notifying approximately 13.4 million current and former members and patients who have accessed our websites and mobile applications. We apologize that this incident occurred.

The company said it had “implemented additional measures, under the guidance of experts, intended to guard against the recurrence of this type of incident.”

Another healthcare provider also notified its members this month of a data breach.

City of Hope, which includes medical facilities in California, Arizona, Illinois and Georgia, notified its members that someone accessed their information and obtained copies of certain records between September 19 and October 12, 2023 , the company announced in a notice published in April. 2.

The type of information stolen from City of Hope varies among members, but includes email addresses, phone numbers, date of birth, Social Security and driver’s license numbers, and other personal information. Government and financial identification, such as bank account numbers and credit card details, according to the City of Hope. Health insurance information, medical records, and information about medical history and associated conditions may also have been stolen, as well as unique identifiers to associate individuals with City of Hope, such as their medical record numbers , the company said.

“Upon discovery of this incident, City of Hope immediately implemented mitigation measures,” the company said. “We then quickly implemented additional and enhanced protective measures and enlisted the support of a leading cybersecurity firm to improve the security of our network, systems and data. »

The company offers free identity monitoring services for two years to its members. They also notified law enforcement and regulators of the data breach while launching their own internal investigation, the company said.