Data breaches have become all-too-common, devastating healthcare organizations of all sizes. These breaches can stem from many sources, ranging from supply chain breaches and data loss through inadequate hardware disposal to misaddressed emails, malicious unauthorized access, and third-party vulnerabilities, like the most recent Kaiser Permanente data breach.
Major healthcare service provider Kaiser Permanente has disclosed a data breach that could impact around 13.4 million people in the United States. The data breach was caused by third-party trackers installed on its websites and mobile apps.
Third-party trackers are scripts or software commonly installed by companies to collect user data. These trackers monitor user behavior, such as browsing patterns, clicks, or app usage, and gather information like location, device type, and personal identifiers. This data is often used for targeted advertising, analytics, or marketing purposes. Google Analytics, which, as of 2023, had been installed on over 13 million websites, is one example.
As one of the most extensive nonprofit health plans in the U.S., Kaiser Permanente operates 39 hospitals and 700 medical facilities in several states and supports 12.5 million members, 300,000 employees, and contractors, including over 87,000 nurses and physicians. When these members accessed Kaiser’s websites and mobile apps, the scripts and software exposed members’ personal information to third-party vendors like Google, Microsoft Bing, and X (formerly Twitter), resulting in a breach.
The compromised Personally Identifiable Information (PII) included names, IP addresses, and indicators of whether someone was logged into a Kaiser Permanente account. It also included details about users’ interactions with the website and mobile apps, including search terms used in the health encyclopedia. Fortunately, sensitive information like usernames, passwords, Social Security Numbers (SSNs), financial account details, and credit card numbers were not exposed.
During an internal investigation, Kaiser Permanente detected the breach and removed the third-party trackers. The company has taken additional steps to prevent future incidents. Although there’s no sign that the leaked data has been misused, Kaiser will notify those who accessed its websites and mobile apps as a precaution.
The breach has been reported to the U.S. Department of Health and Human Services (HHS), which requires organizations to disclose data breaches involving protected health information. Kaiser’s notification process for affected individuals will start in May 2024.
The Previous Kaiser Data Breach: via Unauthorized Access
While August’s breach wasn’t the biggest in history, it contributes to a growing list of healthcare data breaches. And it differs from previous breaches, like the last one Kaiser experienced in June 2022, which resulted from a malicious actor.
The 2022 Kaiser data breach was caused by unauthorized, malicious access to an employee’s email account. That breach exposed sensitive Protected Health Information (PHI), including names, medical records, and lab test results, impacting 70,000 individuals.
While both incidents involve the exposure of sensitive information, the root causes are distinct—one from internal technical misconfigurations and the other a malicious attack.
Only Two Kaiser Data Breaches?
According to California’s Office of the Attorney General, Kaiser has experienced at least 18 data breaches since 2012. But that makes sense and is not out of the ordinary, considering two things: 89% of healthcare organizations report experiencing a (failed or successful) cyber attack nearly once a week, and Kaiser Permanente is a giant healthcare organization with an infinite number of threat vectors
The First Reported Kaiser Data Breach: “Data Loss Through Hardware”
The first reported breach in 2012 occurred when confidential employee information was discovered on an external hard drive that was improperly disposed of. The exposed data included names, Social Security Numbers, dates of birth, and addresses, affecting individuals who were Kaiser Permanente employees before 2009. Notably, no protected health information was compromised.
The breach came to light in late September 2011 when the individual who purchased the hard drive notified Kaiser Permanente. The company quickly retrieved the hard drive and informed law enforcement. Once the authorities completed their analysis, Kaiser Permanente began its internal investigation to trace the source of the data leak. The investigation identified the internal source of the data and initiated steps to prevent future incidents of this nature.
Kaiser may have experienced data breaches before this, but this was the first reported since the Health Information Technology for Economic and Clinical Health (HITECH) Act required reporting in 2009. The act, part of the American Recovery and Reinvestment Act (ARRA), introduced significant changes to healthcare information technology and privacy regulations.
Kaiser’s “Supply Chain Vulnerability” Data Breach
Now, let’s focus on Kaiser’s supply chain data breach in 2019 and explore how vulnerabilities in their broader business ecosystem contributed to the breach.
Kaiser Permanente reported a data breach in mid-August 2019 that exposed information from around 1,000 Sacramento-area patients. An unauthorized individual accessed an email account belonging to a Sacramento-based healthcare provider (a Kaiser partner) for about 13 hours, compromising the protected health information of Kaiser patients.
Compromised information included patient names and medical record numbers. For some, additional protected health information, such as age, gender, dates of service, date of benefits, payer name, provider comments, provider name, diagnosis, medical history, insurance coverage status, benefit information, treatment, procedure, and service data, was exposed.
This scenario is a common dilemma, but more so for smaller healthcare providers. How do you secure your supply chain? A company should establish clear cybersecurity standards for partners, conduct a thorough vetting of vendors, enforce robust contractual agreements regarding data protection, regularly audit partners’ security measures, and provide training to enhance awareness. This is much easier to accomplish for larger organizations with more contractual experience and deeper pockets.
Kaiser’s “Insider Threat Attack” Data Breach
Kaiser experienced another breach in 2016, this time from an insider threat attack. Two employees stole ultrasound machines from several Kaiser Permanente sites in Northern California. The stolen machines were recovered and examined, revealing some contained protected health information (PHI).
The investigation also revealed that the stolen equipment was likely taken to resell for profit, not to disclose or misuse the PHI. Despite this, some recovered ultrasound machines contained sensitive information, such as Medical Record Numbers (MRN) and possibly ultrasound images, which could have been easily exploited.
Kaiser’s “Sent Mail to Wrong Address” Data Breaches
Two Kaiser Permanente incidents involve the inadvertent disclosure of protected information through email. The first breach occurred on August 30, 2017, when a document containing protected health information was mistakenly emailed to an external email address from a Kaiser Permanente facility.
In a separate incident on October 29, 2012, an employee in Kaiser Permanente’s Northern California Region Recruitment department mistakenly emailed former employees’ information, including names and Social Security numbers, to an unauthorized recipient. This breach was swiftly addressed, with Kaiser Permanente confirming that the recipient had deleted the information and implementing new controls to prevent future occurrences.
Out of the last 18 breaches reported by Kaiser, four involved instances where sensitive information was sent via U.S. Mail to the wrong recipient, further emphasizing the importance of stringent data protection measures for physical mail and email.
A Case for Better Healthcare Sector Data Breach Protection
These incidents highlight the urgent need for all healthcare organizations—large, medium, and small—to secure their data against various threats, especially cyberattacks and human errors. Healthcare providers, regardless of size, handle vast amounts of sensitive personal information, making them attractive targets for malicious actors while also being vulnerable to unintentional healthcare data breaches.
Organizations like Kaiser Permanente need robust cybersecurity measures, but smaller healthcare providers, which may not have the same resources but still face similar risks, also need them. Regular security audits, staff training, and comprehensive cybersecurity infrastructure and plans are essential for every healthcare organization.
Beyond technical measures, healthcare providers must have clear communication protocols and rapid response plans to effectively manage a healthcare data breach. The ability to quickly detect, respond, and inform those affected is crucial to minimize the impact of a breach.
Stay in Compliance
Whether it’s a large hospital chain or a small medical practice, a comprehensive approach to data protection is critical to maintaining patient trust and ensuring regulatory compliance. As the healthcare sector grapples with complex security challenges, all organizations must take proactive steps to strengthen their cybersecurity posture.
A comprehensive solution designed to provide layered cybersecurity to address the multiple attack vectors that threaten healthcare facilities is critical. Security solutions must cover email, user, and endpoint protection, ensuring healthcare organizations can defend against advanced threats and maintain their focus on patient care.
Email Protection
With an emphasis on email security, healthcare providers must protect against common threats like phishing, ransomware, and Business Email Compromise (BEC). Email encryption, link isolation, and attachment sandboxing create a formidable defense against unauthorized access and data breaches. This focus on email protection is crucial, as it’s a primary entry point for many attacks.
Email protection offers healthcare organizations a vital solution to prevent inadvertent disclosure of protected health information (PHI) through misaddressed emails. Integrated seamlessly with Microsoft Outlook, email security technology can prompt users to confirm external recipients and attachments before sending emails, mitigating the risk of autocomplete errors and unauthorized data leakage.
This technology scans email content and attachments for personally identifiable information (PII), which is customizable through Data Loss Prevention (DLP) rules—with centralized settings management and scalability for organizations of all sizes, ensuring consistent security measures while offering customizable branding and full audit trails, which can bolster compliance, safeguard patient confidentiality, and mitigate the risk of data breaches.
User Protection
Beyond email protection, health systems should consider comprehensive user protection strategies to minimize human risks. The learning platform provides customizable security awareness training and compliance education to reduce accidental data exposure. The platform empowers employees to recognize and avoid phishing attempts while adhering to healthcare regulations like HIPAA. This user-focused approach ensures that healthcare providers can improve their cybersecurity posture without compromising productivity.
Endpoint Protection
Endpoint protection further enhances security by detecting and blocking advanced threats, including zero-day malware and ransomware. Such solutions ensure health systems remain secure with behavior-based runtime protection and advanced detection capabilities.
By addressing healthcare organizations’ complex security needs while reducing complexity through vendor consolidation and a pragmatic approach to cybersecurity, healthcare providers can protect sensitive data, maintain compliance, and focus on their primary mission—protecting patients’ lives.
Usman Choudhary
Usman Choudhary is general manager of VIPRE Security Group.
