The healthcare giant Kaiser Permanente is notifying more than 13 million customers that their personal information may have been shared with third-party vendors. 

In an April 12 notice to the Department of Health and Human Services, first reported by TechCrunch, the company said the information may include IP addresses, names, “information that could indicate a member or patient was signed into a Kaiser Permanente account or service, information showing how a member or patient interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”  

It does not include financial information or Social Security numbers, they said.

The potential breach occurred through unnamed “online technologies” — likely tracking software — installed on Kaiser websites and mobile applications, which the company says have since been removed. 

The third-party vendors receiving the data were Google, Microsoft Bing and X, formerly Twitter. The company said it is not aware of any misuse of the information but that it is notifying about 13.4 million patients and members who used the websites. 

A company spokesperson told TechCrunch such notifications would begin in May. 

In December 2022, DHS issued guidance to healthcare providers about tracking technologies and how they may run afoul of health privacy laws.  

Information is protected, they wrote, “even if the individual does not have an existing relationship with the regulated entity and even if the [identifiable health information], such as IP address or geographic location, does not include specific treatment or billing information like dates and types of health care services.” 

Like other health providers, Kaiser’s use of online tracking tools has drawn scrutiny before. It is a defendant in a class action lawsuit filed in June 2023 over its tracking technology, including software that allegedly gathers information for Google, Bing and X. 

“The third party code that Kaiser Permanente has installed on its website transmits and redirects the content of Plaintiffs and other Class Members’ communications to these Third Party Wiretappers from the very moment that a user first loads Kaiser Permanente’s website and continues as the user navigates through the website researching and sharing sensitive information,” the complaint alleges. 

A study published last year by researchers at the University of Pennsylvania and Carnegie Mellon found that 98.6% of non-federal acute care hospitals in the U.S. use third-party tracking tools on their websites.