website pixel tracking at Kaiser

Kaiser Breach is the Largest So Far this Year

Kaiser Foundation Health Plan, Inc. (KFHP) must notify 13.4 million current and former patients that their personal information was breached. Kaiser filed breach reports with HHS and the state of California earlier this month, and TechCrunch published an article on April 25 describing the breach. As of today, however, Kaiser has not yet posted a breach notice on its website.

Kaiser Foundation is part of Kaiser Permanente, an integrated managed care consortium based in Oakland, California. It operates hospitals, medical offices and health plans in eight states and the District of Columbia.

Kaiser used website tracking technology that shared patients’ information with third-party advertisers, including Google, Microsoft, and X (formerly Twitter). Kaiser has since removed the website trackers from its systems.

According to TechCrunch, the patient information compromised includes names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”

Website Tracking in Healthcare May Violate HIPAA

Website trackers in healthcare have been controversial since 2022, when the Office for Civil Rights (OCR), which enforces HIPAA, first published a Bulletin explaining the HIPAA risks of online tracking technologies for covered entities and business associates.

According to OCR:

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

Since then, the Federal Trade Commission (FTC) has investigated and fined online healthcare companies like GoodRx, Premom, BetterHelp, Monument, and Cerebral for using online tracking tools. The FTC has its own breach notification rule and enforces consumer rights and privacy laws. It may enforce HIPAA against HIPAA-regulated entities but can also enforce health privacy laws against companies that HIPAA does not govern.

The American Hospital Association (AHA) believes OCR has overstepped its authority by targeting healthcare providers for using tracking technologies. Its central argument is that an IP address should not be considered “protected health information“; therefore, healthcare providers should be permitted to share this data point with third parties. The FTC and OCR have held firm and will continue to enforce the law as written.

Class Action Lawsuits

The Kaiser breach joins a long list of other data breaches that end up in court. And when the number of patients affected is so high, a class action lawsuit will follow.

A class action lawsuit against Kaiser over website tracking is pending in the Northern District of California. Doe v. Kaiser Foundation Health Plan, Inc. et al. was filed on May 5, 2023; it was later amended to include additional claims and additional plaintiffs allegedly harmed by the disclosures of personal information.

Kaiser filed a motion to dismiss the case, but on April 11, 2024, the Judge ruled that six of the twenty-one claims may stand and dismissed fifteen others.

Avoid Website Trackers and Follow HIPAA

If you are handling personal health information, you should closely examine your website, email service provider, patient portal, and telehealth provider to learn whether website trackers are present.

This is essential for complying with federal law, whether HIPAA or FTC rules, and defending against lawsuits.

Strengthening privacy and security protections for patients and customers is also a good business practice for earning and maintaining trust.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU