US healthcare giant Kaiser Foundation Health Plan has apparently accidentally exposed sensitive data about millions of its current and former patients.
Data inadvertently shared with advertisers includes members’ names and IP addresses, and information about their membership status with Kaiser Permanente. Additionally, the company leaked information about how members interacted with the website and apps, and what they searched for in the health encyclopedia.
A total of 13.4 million people have been affected by this mishap, the company has confirmed, adding that it is preparing to send data breach notifications to all of them.
Focused on healthcare
The company confirmed the news through a statement shared with TechCrunchnoting that its website and mobile applications used “certain online technologies” (tracking codes) that may have sent personal information to third-party vendors, believed to include Google, Microsoft and X.
Kaiser filed a notice with the U.S. government and informed California’s attorney general of what happened.
Because of the sensitivity of the data they store, healthcare organizations are a constant target for cybercriminals. Recently, Change Healthcare was hit by a major ransomware attack where the threat actors stole 4TB of valuable files. In exchange for keeping the data private and not sharing it on the dark web, the attackers demanded $22 million in cryptocurrency.
In late 2023, following a supply chain attack on ESO Solutions, sensitive data from a number of healthcare organizations in the US was stolen, and in March of the same year, both Zoll Medical and Independent Living Systems reported data breaches.
The Kaiser Foundation Health Plan is the parent organization of Kaiser Permanente and claimed to have more than 12 million members last year.