Data Privacy,
Data Security,
Fraud Management & Cybercrime
Class Action Lawsuit Claims Web Trackers Misused Patient Data
Kaiser Permanente has reached an agreement to pay as much as $47.5 million to settle consolidated class action litigation that arose from allegations of improper data sharing through tracking codes embedded in its online platforms, including websites and mobile applications. Plaintiffs contended that these trackers unlawfully transmitted sensitive patient information to third parties, such as Google, Microsoft, and X (formerly Twitter).
The California-based healthcare provider, serving approximately 12.6 million members across eight states and Washington, D.C., reported the incident to federal regulators in April 2024 as a HIPAA breach resulting from unauthorized access and disclosure, affecting 13.4 million individuals. This data breach stands as the second-largest health data incident reported to the U.S. Department of Health and Human Services for that year, following the Change Healthcare ransomware attack, which impacted the health information of nearly 193 million individuals.
The claims within the class action lawsuit against Kaiser charged the organization with numerous violations of federal and state laws, alleging that the incorporation of embedded tracking codes resulted in the exposure of plaintiffs’ sensitive information to third-party entities like Quantum Metric, Twitter, Adobe, Microsoft Bing, and Google. The suit identified multiple infractions, including negligence, breach of implied contract, and violations of key legislation such as the Electronic Communications Privacy Act and various state-specific laws.
Details of the Settlement
Under the terms of the preliminary settlement, Kaiser denies any wrongdoing or liability. However, the proposed settlement involves a payment of $46 million, which may be adjusted but will not exceed $47.5 million based on stipulations in a confidential Supplemental Agreement. Included in this settlement are Kaiser members from California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, and D.C., who accessed certain authenticated portions of Kaiser’s online sites and apps between November 2017 and May 2024.
Each eligible class member is slated to receive an equal distribution from the net settlement fund, calculated by dividing the remaining settlement amount post-deductions for court-ordered costs. Essential expenses encompass attorney fees, service awards for named plaintiffs, and administration fees.
Kaiser has taken steps to enhance its data protection following the incident, reporting in its breach notice that it has removed online tracking technologies from its platforms and implemented further security measures with expert guidance to prevent similar occurrences.
Challenges Pertaining to HIPAA Compliance
The Kaiser breach is emblematic of broader challenges within the healthcare sector, as several organizations have reported similar HIPAA breaches linked to the use of tracking pixels. Lawsuits in these cases have alleged that patient data was captured on patient portals and then transmitted to entities like Meta and Google without consent. Under the Biden administration, agencies such as the HHS Office for Civil Rights and the FTC have gradually intensified scrutiny over the use of web tracking tools in the healthcare domain.
Historically, the FTC has engaged in enforcement actions against telehealth firms for their tracking practices, with highlights including notable cases involving GoodRx and BetterHelp, both stemming from similar privacy concerns. Despite the lack of recent actions under the current administration, healthcare organizations continue to face civil lawsuits concerning privacy violations stemming from the use of web tracking technologies.
As organizations like Kaiser Permanente adjust their practices and settle claims, navigating privacy regulations and maintaining trust with their patient bases remains paramount. Business owners within the healthcare ecosystem must continuously monitor compliance issues and could potentially utilize frameworks like the MITRE ATT&CK Matrix, which outlines common tactics such as initial access and privilege escalation, to bolster their efforts against cyber threats.
