Kaiser Permanente data breach may affect 13.4 million people: Questions and answers

Kaiser Permanente says the information of millions of individuals may have been exposed.

The California-based organization notified the federal government of the data breach earlier this month, and news organizations such as Reuters reported the exposure this week.

Kaiser is just the latest of many healthcare organizations that have been affected by breaches of personal health information. Hospitals and health systems across the country have been affected by data breaches, including attacks from ransomware groups.

Here is a quick overview about the Kaiser Permanente data breach.

How many people are affected?

Kaiser Permanente says it is notifying about 13.4 million current and former members of its health plan about the potential exposure of their health data. Kaiser Permanente’s health plan has about 12.5 million members, the company says. The organization also operates 40 hospitals in several states.

Health systems are required to notify the U.S. Department of Health & Human Services of any breach affecting more than 500 people. Kaiser Permanente told the department 13.4 million were affected, according to the department’s database.

How was the data exposed?

Kaiser Permanente says online technologies may have sent personal information to other parties, including Google, Microsoft Bing, and X, the social media platform formerly known as Twitter. The personal data may have been sent when patients and members accessed websites or mobile applications.

Have other breaches occurred this way?

Yes. Cerebral, the telehealth company, said last year that patient information may have been shared via pixels to Google, Meta (the parent of Facebook and Instagram) and Tik Tok. More than 3.1 million people were affected in that breach.

Other health systems have reported similar breaches which have been attributed to technology that tracks visitors to websites. Companies have said they have used such tools to offer better, more personalized experiences for customers and patients.

Has Kaiser Permanente said what data may have been exposed?

The organization says exposed data appears to include names; IP addresses; information that could show a member or patient was signed into a Kaiser Permanente account or service; how individuals interacted with the website or app; and search terms used in the health encyclopedia.

What data was not exposed?

Kaiser Permanente says there was no exposure of Social Security numbers, financial account information or credit card numbers. There was also no exposure of usernames or passwords.

Has any personal information been misused?

Kaiser Permanente says there’s no evidence that there has been any misuse of patient information, but says it’s notifying individuals “out of an abundance of caution.”

“We apologize that this incident occurred,” Kaiser Permanente said in a statement.

What else is Kaiser Permanente doing?

Kaiser Permanente says it investigated the use of the online technologies, and removed them from its websites and applications. The organization also says it has consulted exports to help prevent “recurrence of this type of incident.”

Is this the biggest health data breach?

Hundreds of large healthcare breaches have occurred in recent years, but this stands near the top.

The Kaiser Permanente breach has affected more individuals than any other in the health department’s database. It surpassed HCA Healthcare’s 2023 data breach that affected 11 million individuals. The HCA breach was the largest breach reported to the health department in 2023.

However, it likely won’t approach the number of people affected by the Change Healthcare data breach that occurred in February. Scott MacLean, board chair of the College of Healthcare Information Management Executives, said at a House hearing that the Change Healthcare attack is “the largest cyber attack on our sector.”

Hospitals, health systems, medical groups and physicians continue to deal with the fallout of that breach, because Change Healthcare handles billing, prescriptions and other services across the health industry.

UnitedHealth Group, Change Healthcare’s parent company, said this week that “it is likely to take several months” before it can identify all the consumers and patients affected. But the company said the number affected “could cover a substantial proportion of people in America.”

How many people have been affected by breaches of health information?

Too many, cybersecurity analysts say.

Roughly 1 in 3 Americans have been affected by cyberattacks and breaches of health data. When the U.S. Health Department announced that it has opened an investigation of the Change Healthcare cyberattack, the agency said more than 134 million people were affected by cyberattacks and health data breaches in 2023, an increase of 141% over 2022.