Data breaches are reported at Kaiser and City of Hope
Insurer says millions of members’ search information was sent to Google and others.
Health insurance giant Kaiser Permanente apologized to 13.4 million of its members that some of their search information may have been inadvertently transmitted to Google, other search engines and media platforms.
The Oakland-based company reported that “certain online technologies” that were previously installed on Kaiser Permanente websites and apps were transmitting information such as medical terms that members searched on the company website to Google, Microsoft Bing, and X, the social media platform formerly known as Twitter, the company said in a statement to its members on April 12 and shared with The Times on Friday.
Kaiser Permanente is one of the nation’s largest private nonprofit healthcare organization with 40 hospitals, 618 medical offices, more than 24,000 physicians and 73,000 nurses, according to the company’s website.
There were no usernames, passwords, Social Security numbers, financial account information, or credit card numbers shared with those platforms, the company said.
Information that may have been shared includes the unique internet address that identifies a person’s computer on a network, commonly referred to as an IP address. User names could also have been transmitted and “information that could indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia,” according to the statement.
The company said the “online technologies” that caused the unauthorized transmission were removed from their websites and mobile apps.
“Kaiser Permanente is not aware of any misuse of any member’s or patient’s personal information,” the company said in its statement. “Nevertheless, out of an abundance of caution, we are informing approximately 13.4 million current and former members and patients who accessed our websites and mobile applications. We apologize that this incident occurred.”
The company said it has “implemented additional measures with the guidance of experts designed to safeguard against recurrence of this type of incident.”
Another healthcare provider also notified its members last month about a data breach.
City of Hope, which includes medical facilities in California, Arizona, Illinois and Georgia, informed its members that somebody accessed their information and obtained copies of some files between Sept. 19 and Oct. 12 in 2023, the company announced in an advisory on April 2.
The type of information stolen varies among members, but includes email addresses, phone numbers, date of birth, Social Security and driver’s license numbers along with other government identification and financial details, such as bank account numbers and credit card details, according to City of Hope. Health insurance information, medical records and information about medical history and associated conditions could also have been stolen, along with unique identifiers to associate individuals with City of Hope, like their medical record numbers, the company said.
“Upon discovery of this incident, City of Hope immediately instituted mitigation measures,” the company said. “We then promptly implemented additional and enhanced safeguards and enlisted the support of a leading cybersecurity firm to enhance the security of our network, systems, and data.”
The company is offering free identity monitoring services for two years for its members. In addition, it notified law enforcement and regulatory bodies about the data breach while also launching its own internal investigation, the company said.