Kaiser Permanente Class Action: Patient Data Shared with Tech Giants

California-based Kaiser Health shared the personal information of more than 13.4 million patients with Google, X, and Microsoft without their knowledge and consent, a new lawsuit alleges. 

The three plaintiffs accuse the healthcare provider of violating federal and state laws, and are suing for $1,000 per violation, which they say could total more than $13.4 billion in damages.

Lawsuit Claims Unauthorized Sharing of Patient Data with Google, X, and Microsoft

Christopher Newton, Christa Vital, and Scott Sclmtza filed the proposed class action lawsuit against Kaiser Foundation Health Plan, Inc. alleging violations of the Confidentiality of Medical Information Act and California state laws.

They accuse the company of intentionally sharing the personal information of patients who received treatment at one of the company’s hospital, satellite, or urgent care locations to the three tech giants without authorization.

The information shared included names, dates of birth, addresses, medical record numbers, insurance providers, electronic mail addresses, telephone numbers, and social security numbers, the lawsuit states.

The plaintiffs say that since they were notified about the data breach in April, they have already received numerous letters and phone calls from third parties—including some that are explicitly regarding healthcare they had been seeking. 

Kaiser Patients Allege Harm After Data Breach

According to the lawsuit, the patients only found out about their information being shared when TechCrunch wrote an article about the situation on its website in April 2024. Information filed by Kaiser Health with the United States Department of Health and Human Services not long after confirmed the situation.

The patients say in the lawsuit that the notice filed with DHHS gave the impression Kaiser “regularly gave unrestricted access to third parties” to their personal and private medical information prior to April 2024.

The report also said Kaiser shared with the tech companies how patients searched and navigated its healthcare encyclopedia. The plaintiffs accuse the company of never having got authorization to release any medical records to any person on their behalf, and of failing to any remediation to prevent patients suffering identity theft. 

“Despite knowing many patients were in danger, Defendant did nothing to warn Class Members. During this time, unauthorized third parties had free reign to surveil and defraud their unsuspecting victims,” the lawsuit states.

According to the media reports, Kaiser "subsequently removed the tracking code from its websites and mobile apps." 

Data Breach Lawsuit Latest in String of Legal Woes for Kaiser Permanente

Kaiser is no stranger to legal action, and action over data sharing at that. In 2023, the company faced essentially the same lawsuit that accused it of disclosing patients’ website interactions and communications with the same big three tech companies. 

2023 was a big year of legal action for Kaiser: it also paid out $200 million and agreed to major changes to its mental health services after being found to have seriously faulted its service provision. Investigations found the company repeatedly canceled tens of thousands of appointments and failed to provide timely care, The Los Angeles Times reported.

Meanwhile, California Attorney General Rob Bonta and six other DAs reached a settlement with Kaiser over allegations the healthcare provider unlawfully disposed of hazardous waste, medical waste, and protected health information at Kaiser facilities statewide. 

Back in 2021, the company had to pay $11.5 million to settle a class action lawsuit accusing it of racial discrimination against employees, which involved more than 2,000 Black employees in consulting services and administrative support.

Kaiser Lawsuit Raises Alarming Questions

It’s not just Kaiser, either, who is dealing with data issues—the problem has become pervasive with healthcare providers. Healthcare data breaches have been steadily rising each year, according to the Department of Health and Human Services Office for Civil Rights.

Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR. Those breaches have resulted in the exposure or disclosure of more than 500 million healthcare records.

The largest healthcare data breach since 2009 occurred at Anthem Inc. in 2015, The HIPAA Journal reports. The breach involved the records of 78.8 million individuals. The current Change Healthcare data breach fallout could prove to be worse. Almost 50 lawsuits filed against UnitedHealth Group after its Change Healthcare payment processing unit was hit with a cyberattack in February will be centralized in a Minnesota court, where the action will play out. 

In the Kaiser data breach class action lawsuit, Newton, Vital, and Sclmtza want to represent anyone affected by the breach and are seeking damages, injunctive relief, and more. 

Case Details

• Lawsuit: Newton et al. v. Kaiser Foundation Health Plan, Inc., et al.
• Case Number: 3:24-cv-03625-AMO
• Court: U.S. District Court Northern District of California, San Francisco Division 

Plaintiffs' Attorneys

• Mark D. Potter and James M. Treglio (Potter Handy LLP)