Class Action Litigation Alleges Web Trackers Shared Patient Data With Tech Firms
Kaiser Permanente has agreed to pay up to $47.5 million to settle consolidated class action litigation stemming from its use of tracking codes in its websites, patient portals and mobile apps. Claimants alleged the trackers unlawfully shared patients’ information with third parties, including Google, Microsoft and X – formerly Twitter.
See Also: Going Beyond the Copilot Pilot – A CISO’s Perspective
California-based Kaiser Permanente is one of the largest U.S. not-for-profit health plans and healthcare providers, serving about 12.6 million members in eight states and Washington, D.C.
The organization’s insurance arm, Kaiser Foundation Health Plan, reported the incident in April 2024 to federal regulators as an unauthorized access/disclosure HIPAA breach affecting 13.4 million people (see: Kaiser Permanente Notifying 13.4 Million of Tracker Breach).
The Kaiser breach was the second largest-health data breach reported to the U.S. Department of Health and Human Services last year, behind the Change Healthcare ransomware attack, which affected the protected health information of nearly 193 million people.
The consolidated class action complaint against Kaiser alleged a long list of federal and state law violations and other claims against the health plan in its use of embedded tracking codes that shared plaintiff and class members’ sensitive information to third parties including Quantum Metric, Twitter, Adobe, Microsoft Bing and Google.
The lawsuits claimed negligence, breach of implied contract and violations of the federal Electronic Communications Privacy Act, the California Confidentiality of Medical Information Act, the Georgia Computer Systems Protection Act, the Maryland Wiretapping and Electronic Act and several other state laws.
Settlement Terms
Under the preliminary settlement, Kaiser denies any wrongdoing and liability.
Kaiser has agreed to pay $46 million, an amount that “may be increased, but in no event will it exceed $47.5 million, depending on certain conditions of the confidential Supplemental Agreement,” court documents said.
Settlement class members include Kaiser members in California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington and the District of Columbia who accessed the authenticated pages of certain Kaiser Permanente websites or mobile applications from November 2017 to May 2024.
Under the settlement, each eligible class member will receive an equal pro rata payment which will be calculated by dividing the net settlement fund by the total number of authorized claimants.
The net settlement fund is the amount of the settlement amount remaining after the deduction of court-ordered payments for yet-determined attorneys’ fees and costs; court-awarded service awards slated at about $5,000 per named plaintiff; and the settlement administrator’s expenses and fees, and any taxes.
Kaiser did not immediately respond to Information Security Media Group’s request for comment on the preliminary settlement in the web tracking class action litigation.
In its April 2024 breach notice to affected individuals, Kaiser said it removed online cookie and pixel technologies from its websites and mobile applications, and implemented additional measures with the guidance of experts to safeguard against recurrence of this type of incident.
Thorny HIPAA Issues
The Kaiser breach was one of many large HIPAA breaches reported to HHS in 2023 and 2024 by other healthcare sector organizations related to their previous use of tracking pixels. In those cases, lawsuits alleged that patient information was captured on patient portals and websites and transmitted to third parties including Meta and Google (see: Blue Shield Web Trackers Shared Member PHI with Google Ads).
During the Biden administration, both HHS’ Office for Civil Rights and the Federal Trade Commission scrutinized the use of web tracking tools in health-related websites and mobile apps (see: Feds Warn Hospitals, Telehealth Firms About Web Tracker Use).
The Biden administration FTC had issued several enforcement actions about telehealth companies, including GoodRx and BetterHelp, related to their use of web trackers.
During the second Trump administration, which began in January, the FTC has taken no further enforcement actions in web tracking cases.
HHS OCR released guidance materials in 2022 and 2024 that warn about potential HIPAA violations related to online trackers, but has yet to issue an enforcement action in any web tracking cases (see: Tracker Backtrack: Feds Revise HIPAA Guidance on Web Tools).
Last year, HHS OCR and the FTC sent letters to 130 hospitals and telehealth firms letters warning about their use of web trackers (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
Numerous civil class action lawsuits alleging privacy violations have been filed against healthcare sector organizations. In addition to Kaiser Permanente, several others have opted to settle including New York-based Mount Sinai Health System, which agreed in August to $5.3 million preliminary settlement of a proposed class action lawsuit. In that case, claimants alleged the hospital’s use of online tracking tools in its patient portal and website sent patient information to Facebook without their knowledge or consent for years (see: NY Health System Settles Web Tracker Privacy Claim for $5.3M).