Kaiser Permanente Settles $46M Over Unauthorized Sharing of Patient Data
U.S. healthcare provider Kaiser Permanente has agreed to a $46 million settlement following allegations that it shared sensitive patient data with third-party companies, including Google, Microsoft, Meta, and X, without consent. The settlement stems from multiple lawsuits filed in April and May 2024, which were consolidated into a class-action case.
Between November 2017 and May 2024, Kaiser’s websites and mobile apps allegedly used tracking code from services like Google Analytics and Meta Pixel, inadvertently transmitting members’ personal and health information such as IP addresses, names, search terms, medical histories, and communications with healthcare providers to these tech firms. While Kaiser denies wrongdoing and asserts no evidence of data misuse, the company opted to settle to avoid prolonged litigation.
The settlement covers approximately 13 million current and former Kaiser members in California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, and Washington, D.C. Eligible individuals have until March 12, 2026, to file a claim, with payments expected to range between $20 and $40 per person. The final court approval hearing is scheduled for May 7, 2025, after which payments will be distributed.
Kaiser removed the tracking code in 2024 and implemented additional security measures to prevent future incidents. While Social Security numbers and other highly sensitive data were not exposed, the breach highlights risks associated with third-party tracking tools in healthcare.
Kaiser Permanente Healthcare cybersecurity rating report: https://www.rankiteo.com/company/kaiser-permanente-healthcare
"id": "KAI1768522711",
"linkid": "kaiser-permanente-healthcare",
"type": "Breach",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '13 million',
'industry': 'Healthcare',
'location': 'United States (Washington, D.C., '
'California, Colorado, Georgia, Hawaii, '
'Maryland, Oregon, Virginia, Washington)',
'name': 'Kaiser Permanente',
'size': 'Large (13 million members affected)',
'type': 'Healthcare Provider'}],
'attack_vector': 'Third-party tracking code',
'customer_advisories': 'Eligible members advised to file claims by March 12, '
'2026; payments expected after May 7, 2025',
'data_breach': {'data_exfiltration': 'Yes (shared with third-party companies '
'like Google, Microsoft, Meta, and X)',
'number_of_records_exposed': '13 million members',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personal and health '
'information)',
'type_of_data_compromised': ['IP addresses',
'Names',
'Search terms',
'Medical histories',
'Communications with healthcare '
'professionals',
'Usage details of mobile apps '
'and websites']},
'date_detected': '2024-05',
'date_publicly_disclosed': '2024-04',
'description': 'Kaiser Permanente agreed to a $46 million settlement after '
'allegedly sharing personal data and health information of 13 '
'million members with third-party companies via tracking code '
'on its websites and mobile apps without consent.',
'impact': {'brand_reputation_impact': 'Negative publicity and class-action '
'lawsuits',
'data_compromised': 'Personal data and health information',
'financial_loss': '$46 million settlement',
'identity_theft_risk': 'Potential risk due to exposure of personal '
'and health data',
'legal_liabilities': 'Class-action lawsuits and settlement',
'operational_impact': 'Removal of third-party tracking code and '
'implementation of additional security '
'measures',
'systems_affected': 'Websites and mobile apps'},
'investigation_status': 'Settlement approved; claims process ongoing',
'lessons_learned': 'Need for stricter oversight of third-party tracking tools '
'and data sharing practices; importance of obtaining '
'explicit user consent for data collection.',
'post_incident_analysis': {'corrective_actions': 'Removal of tracking code; '
'implementation of '
'additional security '
'measures; settlement to '
'avoid further litigation',
'root_causes': 'Use of third-party tracking code '
'without proper data filtering, '
'leading to unintended sharing of '
'sensitive information'},
'recommendations': ['Audit and remove unnecessary third-party tracking tools '
'from websites and apps',
'Implement stricter data handling policies and consent '
'mechanisms',
'Enhance monitoring of data flows to third parties',
'Invest in identity theft protection services for '
'affected customers'],
'references': [{'source': 'CBS News'},
{'source': "Tom's Guide"},
{'source': 'Kaiser Permanente Privacy Breach Settlement '
'Website',
'url': 'https://www.kaiserprivacybreachsettlement.com'},
{'source': 'ClassAction.org'}],
'regulatory_compliance': {'legal_actions': 'Class-action lawsuits'},
'response': {'communication_strategy': 'Settlement notices sent to affected '
'members; public statements denying '
'misuse of data',
'containment_measures': 'Removal of third-party tracking code '
'from websites and mobile apps',
'remediation_measures': 'Implementation of additional security '
'measures to prevent recurrence'},
'stakeholder_advisories': 'Settlement notices sent to affected members; '
'public statements issued',
'title': 'Kaiser Permanente Data Privacy Breach Settlement',
'type': 'Data Privacy Breach',
'vulnerability_exploited': 'Improper data handling via third-party tracking '
'tools (e.g., Google Analytics, Meta Pixel)'}