By John Tozzi | Bloomberg
Oakland-based health plan Kaiser Permanente said its websites and apps may have inappropriately sent members’ private information to tech giants including Alphabet Inc., Microsoft Corp. and the social media company X.
Kaiser plans to inform 13.4 million current and former patients of the breach directly over the next month, according to an emailed statement to Bloomberg News.
The data shared with other companies may have included their names and what people searched for on their computers. A US government website for health-data breaches described the incident as an “unauthorized” disclosure.
Health companies are facing scrutiny over how their websites deploy tracking technology, commonly used by a wide variety of firms to build profiles for advertisers.
A report last year from Feroot Security found 86% of health websites transfer users’ data to other companies without consent. Federal authorities have warned health-care companies about the use of trackers.
It’s the latest in a series of concerning lapses in health-care data security. Health systems were roiled earlier this year after a cyberattack on Change Healthcare, a unit of UnitedHealth Group Inc., brought down its crucial network for health data and payments.
Kaiser Permanente, a nonprofit with members in eight states, apologized for its data breach in the statement. The system said it wasn’t aware of any misuse of the information, which may have gone to Alphabet’s Google, Microsoft’s Bing and X, formerly known as Twitter.
The health system removed the trackers from its websites and mobile apps after a voluntary investigation, the company said. Login credentials, Social Security numbers and financial information were not transmitted to third parties, according to Kaiser.