Kaiser Foundation Health Plan, Inc. (KFHP) must notify 13.4 million current and former patients that their personal information was breached. Kaiser filed breach reports with HHS and the state of California earlier this month, and TechCrunch published an article on April 25 describing the breach. As of today, however, Kaiser has not yet posted a breach notice on its website.
Kaiser Foundation is part of Kaiser Permanente, an integrated managed care consortium based in Oakland, California. It operates hospitals, medical offices and health plans in eight states and the District of Columbia.
Kaiser used website tracking technology that shared patients’ information with third-party advertisers, including Google, Microsoft, and X (formerly Twitter). Kaiser has since removed the website trackers from its systems.
According to TechCrunch, the patient information compromised includes names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members “interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”
Website Tracking in Healthcare May Violate HIPAA
Website trackers in healthcare have been controversial since 2022, when the Office for Civil Rights (OCR), which enforces HIPAA, first published a Bulletin explaining the HIPAA risks of online tracking technologies for covered entities and business associates.
According to OCR:
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
Since then, the Federal Trade Commission (FTC) has investigated and fined online healthcare companies like GoodRx, Premom, BetterHelp, Monument, and Cerebral for using online tracking tools. The FTC has its own breach notification rule and enforces consumer rights and privacy laws. It may enforce HIPAA against HIPAA-regulated entities but can also enforce health privacy laws against companies that HIPAA does not govern.
The American Hospital Association (AHA) believes OCR has overstepped its authority by targeting healthcare providers for using tracking technologies. Its central argument is that an IP address should not be considered “protected health information“; therefore, healthcare providers should be permitted to share this data point with third parties. The FTC and OCR have held firm and will continue to enforce the law as written.
Class Action Lawsuits
The Kaiser breach joins a long list of other data breaches that end up in court. And when the number of patients affected is so high, a class action lawsuit will follow.
A class action lawsuit against Kaiser over website tracking is pending in the Northern District of California. Doe v. Kaiser Foundation Health Plan, Inc. et al. was filed on May 5, 2023; it was later amended to include additional claims and additional plaintiffs allegedly harmed by the disclosures of personal information.
Kaiser filed a motion to dismiss the case, but on April 11, 2024, the Judge ruled that six of the twenty-one claims may stand and dismissed fifteen others.
Avoid Website Trackers and Follow HIPAA
If you are handling personal health information, you should closely examine your website, email service provider, patient portal, and telehealth provider to learn whether website trackers are present.
This is essential for complying with federal law, whether HIPAA or FTC rules, and defending against lawsuits.
Strengthening privacy and security protections for patients and customers is also a good business practice for earning and maintaining trust.