Kaiser Permanente Settles $46M Lawsuit Over Patient Data Exposure via Tracking Tools Kaiser Permanente has agreed to a $46 million settlement to resolve a class-action lawsuit alleging unauthorized sharing of patient data through third-party tracking tools on its websites and mobile apps. The settlement, preliminarily approved in December 2025, covers approximately 13 million current and former members across nine states and the District of Columbia. The lawsuit, consolidated from multiple filings in 2024, claimed that from November 2017 to May 2024, Kaiser’s digital platforms transmitted sensitive information including IP addresses, names, medical histories, and user navigation details to companies like Google, Microsoft, Meta, and Twitter/X without explicit consent. Kaiser denied any misuse of data or exposure of Social Security numbers or financial information but opted to settle to avoid prolonged litigation. Eligible members, who accessed Kaiser’s websites or apps during the affected period, may receive a one-time payment of $20 to $40 from the settlement fund, which could increase to $47.5 million. Claims must be filed by March 12, 2026, via the settlement website, with payments distributed after final court approval on May 7, 2026. Payouts will be issued electronically or by check. Kaiser stated it removed the tracking technologies in 2024 and implemented additional safeguards to prevent future incidents. The company maintains no evidence of data misuse but emphasized the settlement as a resolution to legal uncertainty.

The California Office of the Attorney General reported that Kaiser Foundation Hospitals experienced a data breach on August 2, 2024, which was discovered on September 3, 2024. Unauthorized access occurred to the email accounts of two workforce members, potentially exposing protected health information of individuals. The number of individuals affected is not specified.

Kaiser Permanente, a leading healthcare organization, has reported a significant data breach affecting 13.4 million members, marking it as the largest healthcare-related data breach of 2024. The compromised information includes names, IP addresses, account interaction details, and navigational data on Kaiser's websites and mobile apps. The breach resulted from tracking code that shared data with third-party advertisers, including major tech companies like Google, Microsoft, and X (formerly Twitter). This incident has raised privacy concerns and prompted Kaiser to remove the tracking code and notify the affected individuals.

Kaiser Permanente Settles $46M Lawsuit Over Alleged Patient Data Breaches Kaiser Permanente has agreed to a $46 million settlement to resolve a class-action lawsuit alleging unauthorized sharing of patient data through its websites and mobile apps. The settlement, preliminarily approved in December 2025, stems from multiple lawsuits filed in 2024, which were consolidated into a single case. The lawsuit claimed that from November 2017 to May 2024, Kaiser’s digital platforms used third-party tracking tools including code from Google, Microsoft, Meta, and Twitter/X that transmitted sensitive information without user consent. Exposed data reportedly included IP addresses, names, medical histories, search terms, and user navigation details. Kaiser denied any misuse of data or exposure of Social Security numbers or financial information, stating the settlement was reached to avoid prolonged litigation. Eligible members current or former Kaiser patients in nine states and D.C. who accessed its websites or apps during the affected period may receive a one-time payment of $20 to $40 from the settlement fund, which could increase to $47.5 million. Claims must be filed by March 12, 2026, via the settlement website, with payments distributed after final court approval on May 7, 2026. Payouts will be issued electronically or by check. Kaiser stated it removed the tracking technologies in 2024 and implemented additional safeguards to prevent future incidents. The company maintains no evidence of data misuse but settled to resolve the legal dispute.

The California Office of the Attorney General reported a data breach involving Kaiser Foundation Health Plan, Inc. on April 12, 2024. The incident occurred on October 25, 2023, when certain online technologies potentially transmitted personal information such as IP addresses and names to third-party vendors. Detailed information like Social Security numbers and financial information was not involved.

Kaiser Foundation Health Plan of the Mid-Atlantic States notified 8,556 individuals of improper access to their health information. In September 2022, Kaiser Permanente determined that an employee had inappropriately accessed medical records without a legitimate reason for doing so. The employee viewed a variety of information, including names, medical record numbers, phone numbers, birth dates, addresses, medical information, and photographs.

The California Office of the Attorney General reported on July 15, 2022, that Kaiser Permanente experienced a data breach on May 20, 2022, involving the theft of an iPad from a medical center. The breach potentially affected individuals' first names, last names, medical record numbers, dates of birth, and service dates. The breach response included notifying law enforcement and remotely erasing the iPad's data.

Unauthorized access to the US healthcare giant Kaiser Permanente's email system exposed the healthcare and personal information of up to 70,000 patients. The breach exposed patients’ first and last names, medical record numbers, dates of service, and laboratory test result information of the health plan provider. Kaiser Permanente asked all of its employees to reset their passwords for their email accounts and arranged additional training on safe email practices for all its staff.

The systems of TTEC were affected by ransomware attack by the Ragnar Locker group on its servers. The outage impacted the access to the network, applications and customer support. The attackers gained the access to the systems and left messages on its syetmes asking for ransom.

The California Office of the Attorney General reported a data breach involving Kaiser Health Plan, Southern California, on February 28, 2020. The breach occurred when a former address was incorrectly used for mailings to individuals between October 6 and December 20, 2019, potentially affecting demographic and medical information. The specific number of individuals affected is currently unknown.

The California Office of the Attorney General reported a data breach involving Kaiser Permanente on September 26, 2019. The breach occurred on August 12, 2019, when a provider’s email account containing protected health information was compromised for approximately thirteen hours. The types of information potentially exposed included names, medical record numbers, and various health-related details, but Social Security numbers and financial information were not involved.

On November 2, 2017, Kaiser Foundation Health Plan, Inc. experienced a data breach reported by the California Office of the Attorney General on December 5, 2017. The incident involved the unauthorized compromise of personal health information (PHI), though the exact number of affected individuals remains undisclosed. The breach exposed sensitive medical and personally identifiable data, posing risks such as identity theft, financial fraud, or misuse of health records. Given the nature of the compromised information—health data—this incident carries severe implications for patient privacy, trust in the healthcare provider, and potential regulatory penalties under laws like HIPAA (Health Insurance Portability and Accountability Act). The lack of clarity on the scale of the breach further complicates mitigation efforts, leaving affected individuals vulnerable to long-term consequences. Healthcare breaches of this nature often trigger investigations by regulatory bodies, legal repercussions, and reputational damage that can erode patient confidence. The exposure of PHI also heightens the risk of targeted phishing attacks or blackmail, particularly if the data includes diagnoses, treatment histories, or insurance details. Kaiser’s response—including notification protocols, remediation measures, and transparency—would be critical in determining the long-term impact on its operations and public perception.

On August 9, 2017, Kaiser Foundation Health Plan experienced a data breach when an employee inadvertently emailed a document containing protected health information (PHI) to an unknown external address. The incident was reported to the California Office of the Attorney General on August 31, 2017. The breach involved the unauthorized disclosure of sensitive patient data, though the exact number of affected individuals was not specified. The exposed information likely included medical records, personal identifiers, or treatment details, posing risks such as identity theft, fraud, or reputational harm to the impacted patients. As a healthcare provider, Kaiser’s breach underscores vulnerabilities in internal data-handling protocols, particularly in securing PHI against accidental leaks. The incident did not involve ransomware or a targeted cyber attack but stemmed from human error, highlighting the need for stricter email security measures and employee training to prevent similar occurrences in the future.

The California Office of the Attorney General reported a data breach involving Kaiser Foundation Hospitals on December 20, 2016. The breach, which occurred due to a system error between November 16 and 28, 2016, potentially exposed individuals' names, ages, addresses, copay information, deductible payments, and out-of-pocket expenses. The number of individuals affected is currently unknown.

The California Office of the Attorney General reported that Kaiser Permanente Health Plan, Inc of Northern California experienced a data breach on November 7, 2016, related to an accidental exposure of protected health information on October 12-13, 2016. The breach allowed member information accessed via kp.org to be mistakenly viewable by other visitors for approximately two hours, although no Social Security numbers or banking information were compromised.

The California Office of the Attorney General reported a data breach involving Kaiser Permanente on October 29, 2012. The breach occurred on August 24, 2012, when an employee mistakenly emailed confidential employee information, including names and Social Security numbers, to an unauthorized recipient. The number of individuals affected is not specified, but the report states that no personal health information was involved.

The California Office of the Attorney General reported that Kaiser Permanente experienced a data breach on April 6, 2012, due to an employee inadvertently sending a report to a non-Kaiser Permanente email address. The reported date of the incident is April 16, 2012. The incident potentially affected patient identifiable information, although the number of individuals affected is unknown.