What All Healthcare IT Leaders Must Understand About the Kaiser Permanente Breach

Of the many, many facets of healthcare-industry cybersecurity that IT leaders must be aware of, browser-side attacks and data leaks have particularly high potential to blindside an organization. Just ask leading healthcare provider Kaiser Permanente, which recently suffered a gargantuan data breach compromising the sensitive personal information of 13.4 million past and present insurance holders. The source of this breach wasn’t a nefarious attacker, although it could have been. In this case, careless management of browser-side third-party scripts resulted in unintentional and improper sharing of patients’ data and browsing behavior with external vendors and advertisers.

The incident: why third-party browser scripts are a first-rate security concern

The data breach incident stemmed from Kaiser Permanente’s use of tracking codes designed to understand user behavior and usage patterns on the company’s websites and mobile applications. That tracking code captured data including patients’ names, IP addresses, their login status, the web pages they visited, and the search terms they entered to find information in Kaiser’s health encyclopedia. Unfortunately, third-party scripts active on Kaiser’s websites and mobile apps then inadvertently transmitted that data to third-party advertisers.  

Tracking scripts used by healthcare-industry organizations must comply with HIPAA and other privacy regulations, and Kaiser reported the breach to the U.S. Department of Health and Human Services (HHS) as required. And while this data exposure rated as 2024’s largest confirmed data breach in the healthcare field to date, Kaiser is hardly the only industry organization to end up on the wrong side of this security challenge. In the last year, healthcare businesses Monument, Tempest, and Cerebral each accidentally allowed their online tracking code for collecting user analytics to provide sensitive patient data to third-party advertisers. Like Kaiser, each of these businesses subsequently removed that tracking code from their websites and apps. 

The challenge for healthcare IT leaders

Modern websites (and organizations’ mobile apps) commonly utilize more than 30 third-party scripts to enable key functionalities. These scripts from outside vendors cover everything from healthcare organizations’ payment portals to chatbots to analytics tracking. The issue from a data security perspective is that the engineers developing those web and app experiences often must include third-party scripts that serve the purposes of their company’s marketing, data, or legal departments. As a result, engineers often introduce scripts without full context or knowledge of which specific pages require them or what level of data access they actually need. Naturally, these engineers do the only thing they can to make sure a script works as intended: deploy it across the entire website or app. The immediate result is that the script deployment is a success. The long-term consequence is that the script might access and share data where that shouldn’t be the case.

Use of tracking scripts is common in the healthcare industry. Relatedly, so is risk of data breaches from poor third-party script management. Even where IT leaders have thoughtful traditional data security, compliance teams, policies and safeguards in place, this threat too often goes overlooked.

In Kaiser’s case, it appears engineers encountered challenges in aligning the tracking code’s data permissions with its intended purpose. This can lead to coordination issues among IT leaders regarding proper disclosures of the tracking code’s data usage. While the information involved in the Kaiser incident may not strictly qualify as electronically protected health information (ePHI), it did contain sensitive data that could potentially allude to health conditions. This situation may still draw scrutiny from HIPAA regulators. The incident has already had an impact on Kaiser’s reputation.

What healthcare IT leaders should do

To avoid incidents like the Kaiser breach, healthcare IT leaders should introduce Content Security Policies (CSPs) that allow their security teams to visualize and closely manage all third-party scripts running on webpages and apps. Leaders should then enable engineers to utilize conditional rendering—replacing global script deployments with the best practice of loading scripts only on pages where they’re needed. These processes will protect against unauthorized data sharing, as happened in the Kaiser incident, and mitigate any attacks that attempt to access data by rendering malicious browser-side code. 

Ideally, a browser-side security strategy will give security teams full visibility to understand what third-party scripts are running on each page, analyze those scripts before the user’s browser or app receives them, and automatically block threats to data, malicious or otherwise. Historical context analysis will further prepare teams to effectively monitor and deliver successful responses to third-party script threats. 

Lessons from a high-profile data breach

The Kaiser breach points to larger takeaways about third-party script security that healthcare IT leaders should take to heart. With most websites and apps using numerous third-party scripts, the abilities to vet, secure and continuously monitor each script at runtime are crucial. Because traditional network monitoring and security cannot detect browser-side threats, organizations require specialized strategies. The HIPAA regulatory compliance duties to defend protected data from these threats—and the consequences of failing to—are as stark as with any area of traditional data security. The reputational risks and potential loss of customer trust are just as real as well.


About Simon Wijckmans
Simon Wijckmans is the CEO and founder of c/side, a cybersecurity company focused on browser-side threat detection and protection. Previously, he held product management roles at Cloudflare and Vercel.