Kaiser Permanente notifies 13.4 million members of data breach - Los Angeles Times
Advertisement

Kaiser Permanente notifies 13.4 million members of data breach. City of Hope also reported breach

Kaiser Permanente's Los Angeles Medical Center.
Kaiser Permanente’s Los Angeles Medical Center.
(Irfan Khan / Los Angeles Times)
Share via

Health insurance giant Kaiser Permanente apologized to 13.4 million of its members, telling them that some of their search information may have been inadvertently transmitted to Google, other search engines and media platforms.

The Oakland-based company reported that “certain online technologies” that were previously installed on Kaiser Permanente websites and apps were transmitting information such as medical terms that members searched on the company website to Google, Microsoft Bing, and X, the social media platform formerly known as Twitter, the company said in a statement to its members on April 12 and shared with The Times on Friday.

Kaiser Permanente is one of the nation’s largest private nonprofit healthcare organizations with 40 hospitals, 618 medical offices, more than 24,000 physicians and 73,000 nurses, according to the company’s website.

Advertisement

There were no usernames, passwords, Social Security numbers, financial account information, or credit card numbers shared with those platforms, the company said.

Information that may have been shared includes the unique internet address that identifies a person’s computer on a network, commonly referred to as an IP address. Users names could also have been transmitted and “information that could indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia,” according to the statement.

The company said the “online technologies” that caused the unauthorized transmission were removed from their websites and mobile apps.

Advertisement

“Kaiser Permanente is not aware of any misuse of any member’s or patient’s personal information,” the company said in its statement. “Nevertheless, out of an abundance of caution, we are informing approximately 13.4 million current and former members and patients who accessed our websites and mobile applications. We apologize that this incident occurred.”

Blue Shield of California members may have had their personal data, including Social Security numbers, stolen during a cybersecurity breach this spring.

Dec. 1, 2023

The company said it has “implemented additional measures with the guidance of experts designed to safeguard against recurrence of this type of incident.”

Another healthcare provider also notified its members this month about a data breach.

City of Hope, which includes medical facilities in California, Arizona, Illinois and Georgia, informed its members that somebody accessed their information and obtained copies of some files between Sept. 19 and Oct. 12 in 2023, the company announced in an advisory on April 2.

Advertisement

The type of information stolen from City of Hope varies among members, but includes email addresses, phone numbers, date of birth, Social Security and driver’s license numbers along with other government identification and financial details, like bank account numbers and credit card details, according to City of Hope. Health insurance information, medical records and information about medical history and associated conditions, could also have been stolen, along with unique identifiers to associate individuals with City of Hope, like their medical record numbers, the company said.

“Upon discovery of this incident, City of Hope immediately instituted mitigation measures,” the company said. “We then promptly implemented additional and enhanced safeguards and enlisted the support of a leading cybersecurity firm to enhance the security of our network, systems, and data.”

The company is offering free identity monitoring services for two years for its members. They also notified law enforcement and regulatory bodies about the data breach while also launching their own internal investigation, the company said.

Advertisement