Kaiser Permanente Data Breach

CompanyKaiser Permanente
Breach DateApril 12, 2024
Disclosure DateApril 25, 2024
Records Affected13.4 million

In April 2024, Kaiser Permanente disclosed that online tracking technologies on its websites and mobile apps had transmitted personal information of 13.4 million current and former members to third-party advertisers including Google, Microsoft, and X (Twitter).

What Happened

Kaiser Permanente discovered that tracking code embedded on its websites and mobile applications had been sharing user data with third-party advertisers without proper consent. The tracking technologies, including cookies and analytics pixels from Google, Microsoft Bing, and X (formerly Twitter), collected and transmitted member information when users interacted with Kaiser Permanente's digital properties. The organization reported the incident to the U.S. Department of Health and Human Services and subsequently removed the tracking technologies. This was not a traditional cyberattack but rather an inadvertent data sharing through widely used web tracking tools.

What Data Was Exposed

  • Names
  • IP addresses
  • Website and app navigation activity
  • Search terms used on Kaiser Permanente platforms
  • Health-related information based on pages viewed
  • Sign-in status information

Who Is Affected

Approximately 13.4 million current and former Kaiser Permanente members who used the organization's websites or mobile applications. Anyone who browsed Kaiser's digital properties while logged in or identifiable was potentially affected.

How to Check If You Were Affected

Kaiser Permanente sent notification letters to affected members. If you are or were a Kaiser Permanente member and used their website or mobile app, you were likely affected. Contact Kaiser Permanente member services or visit their website for more information about the incident.

What You Should Do Now

Last updated: February 10, 2026