U.S. healthcare conglomerate Kaiser has commenced notifying millions of its current and former members of a data breach that occurred after their personal information was shared with third-party advertisers, including Google, Microsoft, and X (formerly Twitter). The breach, which affected a staggering 13.4 million residents, constitutes the largest health-related data breach of 2024 so far and has prompted the organization to take immediate action.

In a statement released to TechCrunch, Kaiser revealed that an internal investigation had identified certain online technologies installed on its websites and mobile applications, which inadvertently transmitted personal information to external vendors. The data, shared with advertisers, comprises members' names, IP addresses, and potentially sensitive indicators such as account activity and search terms used within the health encyclopedia feature.

Kaiser acted promptly upon discovering this breach, immediately removing the tracking code responsible for the data transmission from its digital platforms. The company's spokesperson, Diana Yee, assured that beginning in May, all affected current and former members, as well as patients who accessed Kaiser's online platforms, will receive notifications. These notifications will be rolled out across all markets in which Kaiser Permanente operates.

As per legal requirements, Kaiser has filed a mandatory notice with the U.S. Department of Health and Human Services, disclosing the exposure of 13.4 million individuals' information. Additionally, the organization has informed the California Attorney General of the breach. However, no specific details regarding the incident were provided.

Kaiser Foundation Health Plan, the parent company of several entities constituting Kaiser Permanente, is one of the largest healthcare organizations in the United States. As of the end of 2023, it reported providing health insurance plans to approximately 12.5 million members.

This breach highlights the growing concern surrounding the use of online tracking codes embedded in web pages and mobile applications. In the past year, other healthcare organizations, including telehealth startups Cerebral, Monument, and Tempest, have also discovered and eliminated tracking codes that exposed patients' personal and health information to advertisers.

Kaiser aims to prioritize the security and privacy of its members' data and will undoubtedly face heightened scrutiny as it mitigates the impact of this incident. As the healthcare industry grapples with the complexities of data protection and privacy, it serves as a stark reminder of the need for robust safeguards to prevent such breaches.