Written by:
Matthew Delman Data privacy and data protection legislation and regulatory regimes have become more common and more stringent in the past few years around the world. In Europe, the General Data Protection Regulation (GDPR) offers expansive penalties for noncompliance and regulates how companies should protect data as well as the rights of European citizens in terms of ownership over their data.
Healthcare companies in the U.S. that work with patient data have the Health Insurance Portability and Accountability Act (HIPAA) and its expansive rules around what classifies as a breach of patient data.
That was on display recently with the breach notification that Kaiser Foundation Health Plan, which operates as Kaiser Permanente, recently sent to federal regulators and the California attorney general. Kaiser discovered that it had accidentally sent data on 13.4 million customers to tech companies because of its use of web analytics trackers on its website and mobile app. This counts as a data breach under HIPAA rules, forcing the company to notify regulators of its occurrence.
This blog will discuss the Kaiser Permanente data breach and examine how this type of accidental data loss could potentially be avoided.
Overview of the Breach
On April 12, 2024, Kaiser Foundation Health Plan notified regulators that a web analytics tool installed at one of its subsidiaries may have collected personal information including patients’ names, IP addresses, sign-in statuses and how they navigated through Kaiser’s website and mobile apps.
This data was sent to tech companies like Google, Microsoft Bing, and X (Twitter) when users accessed its websites or mobile apps. It included behaviors such as what was searched on Kaiser’s health encyclopedia, so those tech companies could see if the user was looking for information on specific health conditions or not.
Kaiser will begin to notify 13.4 million current and former members about the data breach in May. They have since deactivated and removed the web tracker that caused this personal information to be unintentionally transmitted to the technology companies.
Why Accidental Data Loss Is Damaging in Healthcare
The incident with Kaiser is an interesting one. It’s not the result of a cyberattack on the company, although they have experienced those in the past like one resulting from an email compromise in 2022, but rather resulting from a software tool operating as intended.
Web trackers often transmit data to advertisers like Google search and Microsoft Bing to allow those companies to retarget ads throughout the rest of a users journey on the internet. Healthcare companies have long been wary of these systems because of the security and regulatory implications of the data transmission.
HIPAA breach notification rules nevertheless consider this accidental transmission of personal information a violation that requires regulatory notification and notices sent to individuals about the incident. Kaiser may even expect a fine from the government as a result of the incident. The state of California fined the company $450,000 in 2023 because they didn’t update a mailing database and sent out letters with protected health information to 167,000 people.
Healthcare companies like Kaiser need to be keenly aware of what data is being accessed and/or shared by the technologies they use in their day to day lives. HIPAA is especially broad in terms of its breach notification rules, and even a minor slip-up with a technology that hasn’t been properly authorized or vetted can result in potentially major consequences.
How Sotero Helps With Preventing Accidental Data Loss
Accidental data loss can occur in any number of ways. Users may send confidential information to someone who shouldn’t have access to it, admins may accidentally delete sensitive data from a SharePoint site, or technology that hasn’t been fully vetted could collect intelligence in violation of privacy regulations.
These accidental data losses can nevertheless cause major problems. As privacy regimes become more stringent, unintentional data loss may result in large fines akin to the penalties for malicious data exfiltration. This changing environment means that organizations need a solution like Sotero to automatically catalog and encrypt data at rest and in transit.
Sotero uses machine learning algorithms to analyze each data access request at the moment it’s made, and then review and categorize them based on threat potential. This analysis is performed in real time by a self training machine learning model that detects and stops even accidental data loss nearly instantly.
The Sotero platform blends data security posture management and data detection and response (DDR) with continuous monitoring and robust ransomware protection across all data types. Unifying these solutions empowers security teams with the ability to automatically discover and classify data, ensure critical information is secured at the highest level, manage access to sensitive data, and meet necessary compliance standards within a single platform.
Sotero enables teams to defend against accidental data loss efficiently, notifying them of requests from solutions and users to ensure that data isn’t accessed by unauthorized personnel or systems. This is a potential game-changer for ensuring long-term regulatory compliance and protecting sensitive insight. As regulatory regimes become tighter, this effort will become even more crucial. With Sotero, customers can be confident in their data protection and ability to comply with all required data privacy rules.
To learn more about Sotero, request a demo today.