Kaiser Permanente, a subsidiary of the healthcare conglomerate Kaiser Foundation Health Plan, has revealed that the information of more than 13 million individuals was exposed in a recent data breach.
Kaiser Foundation Health Plan is one of the the largest nonprofit health insurance providers in the US serving patients and medical entities from coast to coast.
The number of victims impacted is listed as 13.4 million, according to the filing posted on the US Department of Health and Human Services (HHS) breach notification portal and submitted by Kaiser on April 12th.
The health giant reports the cause of the breach was due to unauthorized access/disclosure on its network servers.
"Out of an abundance of caution, we are informing about 13.4 million current and former members and patients who accessed our websites and mobile applications," Kaiser said in a statement sent to Cybernews.
Kaiser Permanente said it is not aware of any misuse of any member's or patient's personal information at this time.
Unauthorized access via third-party
“The data from this breach was leaked via third-party trackers installed on its websites and mobile apps, which Kaiser confirmed was used to share patients’ personal information with third-party advertisers such as Google, Microsoft Bing, and X/Twitter,” Kaiser said.
Kaiser stated that the information accessed by unauthorized third-party access is limited to IP addresses and individual names., but no usernames, passwords, Social Security numbers, financial account information, or credit card numbers were included in the transmission to these third parties.
Where it gets sticky is that Kaiser also said the compromised information could "indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia."
Nick Tausek, Lead Security Automation Architect at Swimlane, pointed out that Kaiser said the third-party trackers were identified and removed from the websites and mobile applications following a voluntary internal investigation.
“While this breach did not include critical PII, it did include data such as IP addresses, names, and how users interacted with Kaiser Permanente’s web portal, including searches on the site and visited pages,” Tausek reiterated.
Tausek explains those impacted are lucky that the data has mostly been received by legitimate companies, and not criminal enterprises.
Still, Tausek said it’s a “small consolation from a data privacy perspective, as this type of data is routinely sold through data brokers, marketers, and advertisers.”
Healthcare industry targeted
Major healthcare providers, hospitals, and insurance companies are no strangers to being targeted by cybercriminal groups.
Andrew Costis, Chapter Lead of the Adversary Research Team at AttackIQ explains that “successful targeting and compromise of organizations in the healthcare sector provide a gold mine for both eCrime and nation-states.”
“The recent ransom paid out by Change Healthcare has most likely given other ransomware groups the green light to target other healthcare organizations and partners in the hope of receiving a prompt payment, particularly due to the many critical systems and services running in these organizations,” Costis said.
Kaiser said it that “steps have been taken to prevent this type of incident in the future,” similar to statements made about another breach from 2022, also taking place in the month of April.
At the time, Kaiser Permanente disclosed that breach was was also caused by unauthorized access and affected close to 70,000 individuals.
The compromised health data was said to include patients “first and last name, medical record number, dates of service, and laboratory test result information.”
Kaiser Permanente provides healthcare coverage in eight states and the nation’s capital including, California, Colorado, Georgia, Hawaii, Maryland, Virginia, Oregon, and Washington.
Your email address will not be published. Required fields are markedmarked