Kaiser Permanente Settlement Over Web Tracker Data Breach
Kaiser Permanente has agreed to pay up to $47.5 million to settle consolidated class action lawsuits alleging that the healthcare provider's use of web tracking codes on its websites, patient portals, and mobile apps resulted in the unauthorized sharing of sensitive patient information with third-party technology companies, including Google, Microsoft, and X (formerly Twitter). The lawsuits claimed that these embedded trackers violated federal and state laws by disclosing protected health information to external entities without patient consent, leading to a significant HIPAA breach.
The incident, reported to federal regulators in April 2024, affected approximately 13.4 million individuals and was the second largest health data breach reported to the U.S. Department of Health and Human Services that year. The settlement addresses allegations that Kaiser Permanente's practices compromised the privacy and security of patient data, highlighting ongoing concerns about the use of third-party tracking technologies in healthcare digital platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Kaiser agrees to settle web tracker class action for up to $47.5 million
Kaiser Permanente agreed to pay up to $47.5 million to settle consolidated class action litigation alleging its web trackers violated federal and state privacy laws by sharing patient data with third parties. The proposed settlement provides pro rata payments to eligible class members.
Kaiser removes tracking technologies and adds safeguards
Following the disclosure and litigation, Kaiser Permanente removed the tracking technologies from its digital platforms and implemented additional safeguards, while denying wrongdoing.
Kaiser reports web tracker incident as HIPAA breach affecting 13.4 million
In April 2024, Kaiser Permanente reported the incident as a HIPAA breach involving web tracking code disclosures to third parties including Google, Microsoft, and X. The breach affected 13.4 million people and became the second-largest health data breach reported to HHS in 2024.
Kaiser websites and apps used web trackers during class period
The settlement covers Kaiser members in several states and the District of Columbia who accessed certain authenticated web pages or mobile apps between November 2017 and May 2024, the period during which tracking technologies allegedly transmitted data to third parties.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
Mar 21, 2026
Healthcare Pixel Tracking Data Breach Lawsuit Settlements
Several healthcare organizations, including Cerebral, RAYUS Radiology, Sutter Health, Lemonaid Health, and Redeemer Health, have reached settlements in class action lawsuits related to their use of website tracking technologies such as pixels. These lawsuits alleged that the use of such tools resulted in the unauthorized disclosure of personally identifiable and protected health information to third parties like Meta and Google, without patients' knowledge or consent. The settlements provide financial compensation and, in some cases, service credits to affected individuals, with eligibility typically based on prior notification of the data breach. The legal actions stem from concerns that website tracking technologies, when used on healthcare websites, can transmit sensitive health information to external parties, potentially violating HIPAA and other privacy laws. The U.S. Department of Health and Human Services issued guidance on the use of these tools, emphasizing that they should not be deployed on authenticated patient portals without proper authorization or agreements. The settlements reflect a growing trend of litigation and regulatory scrutiny over the intersection of digital marketing technologies and healthcare privacy obligations.
Mar 21, 2026
Healthcare Provider Email and Network Intrusions Expose Patient Data
**General Physician, P.C.** agreed to pay **$2.5 million** to settle consolidated class-action litigation tied to a **2024 email-environment compromise** that exposed sensitive patient data. The organization detected suspicious activity on **June 12, 2024**, and a forensic investigation found an unauthorized party had accessed its email system from **April 6 to June 12, 2024**. Potentially exposed data included **SSNs, financial account information, dates of birth, medical and treatment details, diagnoses, medical record numbers, and insurance information**; the affected population was later updated to **167,387 individuals** (after an initial placeholder report of 501 to HHS OCR). The settlement fund is intended to provide class benefits after fees/expenses, and the company did not admit wrongdoing. Two additional California healthcare providers reported separate security incidents involving unauthorized access to systems containing patient information. **Valley Radiology Consultants Medical Group** identified a breach on **September 15, 2025**, engaged third-party incident response support, confirmed unauthorized access to its network and files, and began mailing notifications after completing file review on **February 18, 2026**; it also offered **12 months of credit monitoring** and reported taking remediation steps (e.g., password changes and security enhancements). **Nephrology Associates Medical Group** separately began notifying patients about a cyberattack first identified on **May 20, 2025** (details in the provided excerpt are truncated), indicating another healthcare-sector intrusion with patient data exposure risk.
Mar 21, 2026