Kaiser Permanente to Pay $46M for Patient Data Breach

Kaiser Permanente is paying a hefty price for gathering patient access data on its websites and apps.

The Oakland-based health system will pay at least $46 million and as much as $47.5 million to settle a class action lawsuit filed by several patients who said their information was caught up in KP’s consumer-tracking programs, which can share data with Microsoft, Google, X (Twitter) and Adobe.

The practice is common with consumer-facing companies who want to know who’s accessing their sites and why, and it’s becoming more sophisticated as the technology evolves to enable companies to personalize those access points based on a user’s preferences. According to a 2023 study published in Health Affairs, almost every health system surveyed – 99% — uses data tracking tools.

In healthcare, however, those user preferences may include personal health information, putting patient privacy at risk and leaving hospitals liable to legal action under HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA) doesn’t specifically permit data transfers like this, so healthcare organizations either need to secure patient consent or a business associate agreement with the third-party vendors that receive that data.

Federal regulators tried to get a handle on this a few years ago. In 2022, the Health and Human Services Department’s (HHS) Office of Civil Rights issued guidance that would have prohibited organizations covered by HIPAA from using “tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of HIPAA Rules.”

The American Hospital Association and several other groups filed suit against HHS in late 2023, charging that the federal agency exceeded its statutory authority in preventing healthcare providers from collecting the IP addresses of people visiting public-facing websites. Last year, a federal district court in the Northern District of Texas ruled that the federal order “was promulgated in clear excess of HHS’s authority under HIPAA,” and HHS opted to drop the proposed rule.

As it stands now, healthcare organizations can use data tracking technology – but not on any sites that require a log-in, such as a patient portal or app.

KP disclosed the data breach in May 2024, announcing that as many as 13.4 million members had been affected. The organization said user information was put in a position to be accessed by third-party tracking companies through the KP website and mobile apps.

“The information that may have been involved was limited to: IP address, name, information that could indicate you were signed into a Kaiser Permanente account or service, information showing how you interacted with and navigated through our website or mobile applications, and search terms used in the health encyclopedia,” KP continued. “Detailed information concerning Kaiser Permanente account credentials (username and password), Social Security numbers, financial account information and credit card numbers were not included in the information involved.”

KP said it removed the tracking technologies from its websites and took additional measures to safeguard those sites.

KP officials denied the allegations in the lawsuit – namely, that protected health information was mishandled by the health system and that executives put that information at risk – but decided that settling the case with no admission of wrongdoing would be better than continuing to a trial.

According to the HIPAA Journal, lawsuits filed by patients named the Kaiser Foundation Health Plan, Kaiser Foundation Hospitals, and Kaiser Foundation Health Plan of Washington as defendants.

According to the HIPAA Journal, the OCR and Federal Trade Commission (FTC) issued more than 130 warning letters to healthcare organizations in 2024 over potential HIPAA violations related to data tracking, and settled complaints with five companies: Cerebral, Monument, BetterHelp, GoodRx and Easy Healthcare (Premom).