Kaiser Permanente Settles $46M Lawsuit Over Patient Data Exposure via Tracking Tools
Kaiser Permanente has agreed to a $46 million settlement to resolve a class-action lawsuit alleging unauthorized sharing of patient data through third-party tracking tools on its websites and mobile apps. The settlement, preliminarily approved in December 2025, covers approximately 13 million current and former members across nine states and the District of Columbia.
The lawsuit, consolidated from multiple filings in 2024, claimed that from November 2017 to May 2024, Kaiser’s digital platforms transmitted sensitive information including IP addresses, names, medical histories, and user navigation details to companies like Google, Microsoft, Meta, and Twitter/X without explicit consent. Kaiser denied any misuse of data or exposure of Social Security numbers or financial information but opted to settle to avoid prolonged litigation.
Eligible members, who accessed Kaiser’s websites or apps during the affected period, may receive a one-time payment of $20 to $40 from the settlement fund, which could increase to $47.5 million. Claims must be filed by March 12, 2026, via the settlement website, with payments distributed after final court approval on May 7, 2026. Payouts will be issued electronically or by check.
Kaiser stated it removed the tracking technologies in 2024 and implemented additional safeguards to prevent future incidents. The company maintains no evidence of data misuse but emphasized the settlement as a resolution to legal uncertainty.
Kaiser Permanente cybersecurity rating report: https://www.rankiteo.com/company/kaiser-permanente
"id": "KAI1768267117",
"linkid": "kaiser-permanente",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '13 million members',
'industry': 'Healthcare',
'location': 'Oakland, California, USA',
'name': 'Kaiser Permanente',
'size': '13 million members (affected regions: '
'California, Colorado, Georgia, Hawaii, '
'Maryland, Oregon, Virginia, Washington, '
'District of Columbia)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-party tracking code',
'customer_advisories': 'Members informed in 2024 and 2025 about the breach '
'and settlement',
'data_breach': {'data_exfiltration': 'Transmitted to third parties (Google, '
'Microsoft, Meta, Twitter/X)',
'personally_identifiable_information': ['IP addresses',
'Names',
'Search terms',
'Medical histories',
'Navigation details'],
'sensitivity_of_data': 'High (medical histories, '
'communications with healthcare '
'professionals)',
'type_of_data_compromised': ['Personal information',
'Health information']},
'date_detected': '2024-05',
'date_publicly_disclosed': '2024',
'date_resolved': '2025-12',
'description': 'Kaiser Permanente reached a lawsuit settlement over alleged '
'patient data breaches involving Kaiser websites and mobile '
'applications. The lawsuit alleged that from November 2017 to '
'May 2024, Kaiser’s websites and mobile apps used third-party '
'tracking code that transmitted confidential personal and '
'health information without member consent to companies such '
'as Google, Microsoft, Meta, and Twitter/X.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'alleged data breach',
'data_compromised': 'Confidential personal and health information, '
'including IP addresses, names, search terms, '
'medical histories, communications with '
'healthcare professionals, and navigation '
'details',
'financial_loss': '$46 million (settlement fund)',
'identity_theft_risk': 'Potential risk due to exposure of personal '
'and health information',
'legal_liabilities': 'Class-action lawsuit settlement',
'operational_impact': 'Removal of certain online technologies and '
'implementation of additional safeguards',
'systems_affected': 'Kaiser Permanente websites and mobile '
'applications'},
'investigation_status': 'Settled',
'lessons_learned': 'Need for stricter oversight of third-party tracking '
'technologies and enhanced data protection measures',
'post_incident_analysis': {'corrective_actions': 'Removal of tracking '
'technologies and '
'implementation of '
'additional safeguards',
'root_causes': 'Unauthorized transmission of data '
'via third-party tracking code'},
'recommendations': 'Remove unauthorized third-party tracking code, implement '
'expert-guided safeguards, and ensure compliance with data '
'privacy regulations',
'references': [{'source': "Becker's Hospital Review"},
{'source': 'ClassAction.org',
'url': 'https://www.classaction.org'},
{'source': 'Kaiser Permanente Privacy Breach Settlement '
'Website'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuit settlement'},
'response': {'communication_strategy': 'Notices sent to members in 2024 and '
'settlement notices in 2025',
'containment_measures': 'Removal of certain online technologies '
'from websites and mobile applications',
'remediation_measures': 'Implementation of additional measures '
'to safeguard against recurrence',
'third_party_assistance': 'Experts consulted for additional '
'safeguards'},
'stakeholder_advisories': 'Settlement notices sent to members',
'title': 'Kaiser Permanente Patient Data Breach Settlement',
'type': 'Data Breach',
'vulnerability_exploited': 'Unauthorized data transmission via third-party '
'trackers'}