Potential Data Breach at Kaiser Permanente May Have Affected 13.4 Million Patients

Threat Actor: Unknown | Unknown
Victim: Kaiser Permanente | Kaiser Permanente
Price: Not specified
Exfiltrated Data Type: Names, IP addresses, search terms used on the website and mobile apps

Additional Information :

  • Kaiser Permanente is an American integrated managed care consortium consisting of the Kaiser Foundation Health Plan, Inc., Kaiser Foundation Hospitals, and the regional Permanente Medical Groups.
  • The company operates in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington.
  • The data breach impacted 13.4 million residents.
  • The company confirmed sharing patients’ information with third-party organizations for advertising purposes, including Google, Microsoft, and X.
  • The exposed data does not include usernames, passwords, Social Security Numbers (SSNs), and financial data.
  • Kaiser Permanente previously experienced another data breach in June 2022, where threat actors gained access to an employee’s emails.
  • The previously exposed data included names, medical records, dates of service, and lab test results.

Kaiser Permanente is an American integrated managed care consortium, it is made up of three distinct but interdependent groups of entities: the Kaiser Foundation Health Plan, Inc. (KFHP) and its regional operating subsidiaries; Kaiser Foundation Hospitals; and the regional Permanente Medical Groups.

The health giant operates 39 hospitals and more than 700 medical offices, with over 300,000 personnel, including more than 87,000 physicians and nurses.

It operates in California, Colorado, the District of Columbia, Georgia, Hawaii, Maryland, Oregon, Virginia, and Washington.

Media reported [1, 2] that the company is notifying millions of current and former members of a data breach. TechCrunch reported that the company confirmed it shared patients’ information with third-party organizations, including Google, Microsoft and X, for advertising purposes.

Shared data include names, IP addresses, and information about members’ operations on the company website and mobile apps. This included search terms used in their health encyclopedia. Kaiser Permanente later removed the tracking code from their platforms. Exposed data does not include usernames, passwords, Social Security Numbers (SSNs), and financial data.

In a notice filed with the US government, the integrated managed care consortium disclosed a data breach impacting 13.4 million residents.

Kaiser Permanente is not aware of any misuse of the exposed information.

In June 2022, Kaiser Permanente disclosed another data breach that exposed the health information of 69,000 people. The company revealed that threat actors gained access to an employee’s emails at the Kaiser Foundation Health Plan of Washington.

The exposed data included names, medical records, dates of service, and lab test results.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, data breach)



Original Source: https://securityaffairs.com/162347/data-breach/kaiser-permanente-data-breach.html