Kaiser Permanente Settles $46M Lawsuit Over Alleged Patient Data Breaches
Kaiser Permanente has agreed to a $46 million settlement to resolve a class-action lawsuit alleging unauthorized sharing of patient data through its websites and mobile apps. The settlement, preliminarily approved in December 2025, stems from multiple lawsuits filed in 2024, which were consolidated into a single case.
The lawsuit claimed that from November 2017 to May 2024, Kaiser’s digital platforms used third-party tracking tools including code from Google, Microsoft, Meta, and Twitter/X that transmitted sensitive information without user consent. Exposed data reportedly included IP addresses, names, medical histories, search terms, and user navigation details. Kaiser denied any misuse of data or exposure of Social Security numbers or financial information, stating the settlement was reached to avoid prolonged litigation.
Eligible members current or former Kaiser patients in nine states and D.C. who accessed its websites or apps during the affected period may receive a one-time payment of $20 to $40 from the settlement fund, which could increase to $47.5 million. Claims must be filed by March 12, 2026, via the settlement website, with payments distributed after final court approval on May 7, 2026. Payouts will be issued electronically or by check.
Kaiser stated it removed the tracking technologies in 2024 and implemented additional safeguards to prevent future incidents. The company maintains no evidence of data misuse but settled to resolve the legal dispute.
Kaiser Permanente cybersecurity rating report: https://www.rankiteo.com/company/kaiser-permanente
"id": "KAI1768267006",
"linkid": "kaiser-permanente",
"type": "Breach",
"date": "5/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '13 million members in '
'California, Colorado, Georgia, '
'Hawaii, Maryland, Oregon, '
'Virginia, Washington, and the '
'District of Columbia',
'industry': 'Healthcare',
'location': 'Oakland, California, USA',
'name': 'Kaiser Permanente',
'size': '13 million members (affected regions)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-party tracking code',
'customer_advisories': 'Official settlement notices sent to members in 2025; '
'members informed in 2024 about technology removal',
'data_breach': {'data_exfiltration': 'Transmitted to third parties (Google, '
'Microsoft, Meta, Twitter/X)',
'personally_identifiable_information': ['IP addresses',
'Names',
'Search terms',
'Medical histories',
'Site navigation '
'details'],
'sensitivity_of_data': 'High (medical histories, '
'communications with healthcare '
'professionals)',
'type_of_data_compromised': ['Personal information',
'Health information']},
'date_detected': '2024-05',
'date_publicly_disclosed': '2024',
'date_resolved': '2025-12',
'description': 'Kaiser Permanente reached a $46 million settlement over '
'alleged patient data breaches involving its websites and '
'mobile applications. The lawsuit alleged that third-party '
'tracking code transmitted confidential personal and health '
'information without member consent to companies such as '
'Google, Microsoft, Meta, and Twitter/X from November 2017 to '
'May 2024.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'alleged data breach',
'data_compromised': 'Confidential personal and health information, '
'including IP addresses, names, search terms, '
'medical histories, communications with '
'healthcare professionals, and site navigation '
'details',
'financial_loss': '$46 million (settlement fund)',
'legal_liabilities': 'Class-action lawsuit settlement',
'operational_impact': 'Removal of certain online technologies and '
'implementation of additional safeguards',
'payment_information_risk': 'Denied exposure of financial '
'information',
'systems_affected': ['Websites', 'Mobile applications']},
'investigation_status': 'Settled',
'lessons_learned': 'Importance of securing third-party integrations and '
'ensuring explicit user consent for data sharing',
'post_incident_analysis': {'corrective_actions': 'Removal of tracking '
'technologies, '
'implementation of '
'additional safeguards, and '
'expert guidance',
'root_causes': 'Unauthorized transmission of data '
'via third-party tracking code '
'without member consent'},
'recommendations': 'Enhance monitoring of third-party tracking technologies, '
'implement stricter data sharing policies, and conduct '
'regular audits of data transmission practices',
'references': [{'source': "Becker's Hospital Review"},
{'source': 'Classaction.org',
'url': 'https://www.classaction.org'},
{'source': 'Kaiser Permanente Settlement Website'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit settlement'},
'response': {'communication_strategy': 'Informed members in 2024; official '
'settlement notices sent in 2025',
'containment_measures': 'Removal of certain online technologies '
'from websites and mobile applications',
'remediation_measures': 'Implementation of additional safeguards '
'to prevent recurrence',
'third_party_assistance': 'Guidance of experts'},
'title': 'Kaiser Permanente Patient Data Breach Settlement',
'type': 'Data Breach',
'vulnerability_exploited': 'Unauthorized data transmission via third-party '
'integrations'}