This audio is automatically generated. Please let us know if you have back.
Diving brief:
- Kaiser Foundation Health Plan Disclosed Data Breach Impacting 13.4 million current and former plan participants to the federal government on Thursday.
- THE The health plan said in a statement to Healthcare Dive that it may have unintentionally shared patient information with third-party advertisers, including Google, Microsoft and X, the company formerly known as Twitter.
- This is the largest data breach reported to the HHS Office of Civil Rights so far this year, surpassing the second largest breach with more than 9.4 million people affected.
Dive overview:
Kaiser Health Plan is one of the nation's largest health care organizations, with more than 12.5 million members end of 2023.
The health plan said The company identified the breach during a routine investigation that revealed that “certain online technologies, previously installed on its websites and mobile applications” may have transmitted health data. to third-party suppliers.
This information includes members' names and IP addresses, information about whether they are connected to a Kaiser account or service, and details about how patients use the applications, including search terms used in the application. health encyclopedia.
Kaiser said it would begin notifying affected people about the breach. The healthcare conglomerate has already removed tracking code from its mobile apps and website.
Kaiser has been embroiled in litigation over alleged privacy violations related to the use of its tracking technologies since last summer.
In June, the plaintiffs filed a class action against the health plan in a U.S. district court, charging Kaiser from disclosing their confidential health information to third parties without their consent.
The trial alleges that Kaiser disclosed information about the medical topics studied, medical “choices” made as a result of that research, and communications with medical providers.
The breach comes amid a surge in healthcare tracking technology lawsuits filed against healthcare companies and hospital systems.
Primary care provider VillageMD was sued earlier this month for allegedly sharing patient data with Facebook and Google via tracking technologies. Charlotte, North Carolina-based health system Atrium Health was continued the same week for allegedly disclose patient data to Facebook via tracking tools.
As consumers file lawsuits over privacy violations, regulators also debate the role of tracking technology in health care.
Almost all hospitals used tracking tools on their websites starting in 2021, and many have shared visitor information with tech giants including Alphabet and Meta, according to a 2023 study in Health Affairs.
In December 2022, the HHS Office for Civil Rights issued a newsletter clarify HIPAA rules applied to online tracking tools. Last year, the Federal Trade Commission and HHS OCR sent letters to about 130 hospitals and telehealth providers warning them that integrating such tools into their websites could expose patients' personal health data to third parties.
The American Hospital Association has pushed back against regulators' attempts to restrict use of tracking technology, saying the data offers critical insights health systems need to improve websites and patient access to care. For example, tracking tools can show where patients have difficulty navigating websites or asking common community medical questions, the AHA said.
In November, the AHA sued HHS for proposed restrictions on tracking technologies.
In March, HHS OCR updated its guidance regarding tracking technology to clarify that share website visits alone with a third party was not sufficient to constitute a breach. However, the agency said health care companies cannot use tracking technologies “in a manner that would result in unauthorized disclosures” of personal health information to providers of tracking technologies, or result in any other violation of privacy rules.