13.4 Million Kaiser Insurance Members Affected by Data Leak to Online Advertisers (darkreading.com) 10
Kaiser Permanente is the latest healthcare giant to report a data breach. Kaiser said 13.4 million current and former insurance members had their patient data shared with third-party advertisers, thanks to an improperly implemented tracking code the company used to see how its members navigated through its websites. Dark Reading reports: The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia. Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata.
"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome -- an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."
"The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome -- an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."
What are ads doing there in the first place? (Score:4, Insightful)
So am I missing something or why does a hospital network need to be serving up any ads to their patients at all? Get that ad code out of those pages completely, Kaiser!
Re: (Score:3)
The earliest physicians (barbers back then) used leaches.
Now they are leaches.
There is a video on youtube documenting this: https://www.youtube.com/watch?... [youtube.com]
Re: (Score:3)
Re: (Score:1)
But that's super dumb, because they run the site. They can track every click and collect browser info without adding anything to their pages, and as an added bonus, they aren't giving their tracking info away to others when they do that.
Probably more like they are putting ads on Faceboot and having the tracking pixel on their site makes it so that they can get clickthrough stats in the same interface as they post the ads.
No tool ehh? (Score:5, Insightful)
"no monitoring/auditing process to identify and prevent the issue"
Yes, yes there is. It is called due diligence and intelligent decision making. Unfortunately for Kaiser they never considered the idea that tracking what people were searching for and looking at people clicking links might be a bad idea to share with their optimization partners.
There is no automated tool to prevent this issue...because this is a human stupidity issue. They didn't understand what they were collecting nor where it was going. Which is understandable if you're a nitwit web designer. That is why there is supposed to be intelligent management of both the data itself and the network systems involved.
Their top two executives should spend a year in jail.
A few more instances like this and some of these people might understand accountability.
Re: (Score:2)
"no monitoring/auditing process to identify and prevent the issue" Yes, yes there is. It is called due diligence and intelligent decision making.
Oh, you mean the kind of due diligence and intelligence it takes to calculate a profit much greater than any potential fine if it was suddenly discovered you made an “oops” in your data marketing systems that enabled you to “leak” your customer data to those paying well for it?
Auditing indeed.
Social credit score to include health behavior (Score:2)
Expecting in the future visiting a 'cancer symptoms' web page to somehow be triangulated to not
health related risky behavior and used to raise your health insurance costs or
deny you health coverage.
Likewise, set your priority for urgent medical care at the bottom of the waiting list.
Too much Junk in the Trunk (Score:5, Informative)
I'm a Kaiser member, and there is way too much JavaScript and unnecessary layers in their crazy site. Many simple browser and HTML widget actions simply don't work because an intermediate JS layer re-translates keyboard and mouse actions to something internal, it appears. They are reinventing a browser in a browser.
And it's slow to render, with stuff bouncing around as various panels incrementally load and change the layout and flow. Thus, you often click on the wrong thing if you don't wait at least about 5 seconds.
Kaiser's IT team needs to go to KISS Bootcamp. Or stop renting outsourcers who throw layers at a problem instead of do it right.
Priorities (Score:2)
Kaiser would rather monetize and market with their web than devote necessary resources to securing their network and protecting patient privacy.
Perhaps this is just the warning shot before the ransom ware attack happens.
And? Who goes to prison? CEO or CTO? (Score:2)
Oh, _nobody_ will? Well, then things will remain crappy and insecure. Cheaper that way. No, not cheaper for _you_, obviously.