Kaiser Permanente, one of the largest not-for-profit providers of health care and coverage in the United States, is dealing with the fallout from a significant data breach that has affected more than 13 million individuals. The company revealed details of the incident in a public notification posted on April 25th.
According to a filing submitted to the U.S. Department of Health and Human Services on April 12th, Kaiser Permanente suffered a data breach in mid-April that exposed the personal information of approximately 13.4 million members of its health plan.
While Kaiser has not provided many specifics about the nature of the cybersecurity incident, the company stated that the compromised data included individuals' names, addresses, email addresses, and may have also included medical information and health record numbers depending on the person.
This breach ranks among the largest ever reported for a healthcare provider or health plan in the U.S. in terms of the number of people impacted. Kaiser operates in eight states and the District of Columbia, serving more than 12 million members.
In response, Kaiser is initiating notifications to all 13.4 million affected individuals to inform them of the data breach and provide guidance on steps they can take to protect themselves against potential fraud or identity theft. The company is also reviewing and strengthening its cybersecurity measures.
It is believed that PII (personally identifiable information) was transmitted to third-party vendors via mobile applications and other website tools used by the healthcare giant. Information collected by online trackers is often shared with an extensive network of marketers, advertisers, and data brokers. If there is a silver lining, it is likely the data exposed to advertisers such as Microsoft and Google does not include usernames, passwords, Social Security numbers (SSNs), financial account information, or credit card numbers.
"The presence of third-party trackers belonging to advertisers, and the over-sharing of customer information with these trackers, is a pervasive problem in both health tech and government space," said Narayana Pappu, CEO at Zendata. "Once shared, advertisers have used this information to target ads at users for complimentary products (based on health data); this has happened multiple times in the past few years, including at GoodRx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome—an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."
Data breaches in the healthcare sector are particularly concerning due to the highly sensitive nature of medical data and patient records involved. This information could potentially be used for identity theft, financial fraud, or to illegally obtain medical services and prescription drugs.
This incident underscores the need for robust data security measures at healthcare providers, insurers, and companies that handle protected health information (PHI). Regulatory bodies will likely investigate this breach further and could levy significant fines against Kaiser Permanente if it is found to have violated data protection laws.
[RELATED: Dissension Emerges as Healthcare Grapples with Cybersecurity Regulations]
"Your personal information is everywhere online these days, and safeguarding yourself against cyber risks must be a priority, as proven by the recent data breach Kaiser Permanente suffered. The pervasive nature of online tracking technologies and the potential risks they pose to personal privacy underscores the critical need for individuals to prioritize safeguarding their online information," said Darren Guccione, CEO and Co-Founder at Keeper Security. "While most users know that many of their online activities are tracked, they may not realize just how much information is being collected, ranging from IP addresses and search terms to personally identifiable information—such as your first and last name, age, and email—as well as your location, text messages, calls, device information, and sometimes even financial details. Advertisers use this vast array of information to create customer personas for targeted advertising."
Guccione continued: "While the data leaked in this breach did not include highly sensitive information like usernames, passwords, or financial details, users may feel violated knowing that information about interactions with their trusted healthcare provider was shared with advertisers without their knowledge or consent. Fortunately, there are some options to reduce the amount of data collected through your online accounts, including adjusting your ad settings to opt out of targeted advertisements and turning off permissions wherever possible.
Protecting your information online starts with good cyber hygiene. The plethora of online accounts most people have necessitates the use of a strong and unique password for each and every one. They should be generated and stored in a password manager to provide secure, easy access while protecting against bad actors. Setting up Multi-Factor Authentication (MFA) on your accounts provides a critical second layer of security in the event that your password is compromised. Authenticator apps, SMS codes, and security devices such as YubiKey are a few of the options available for MFA."
To learn more and connect with cybersecurity leaders across the healthcare and medical sectors, attend the SecureWorld Healthcare virtual conference on May 1, 2024. See the agenda and register for free here.
[RELATED: What's the Prescription for Cyber Resilience in Healthcare?]
