// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRC-newsDTG 0600Z
ColdRecon / Breach Radar / Kaiser Permanente
Breach Record

Kaiser Permanente

DISCLOSED 2024-06-28 · MISCONFIG · 13,400,000 RECORDS EXPOSED

A class action lawsuit alleges Kaiser Permanente disclosed the personal and health information of 13.4 million patients to Microsoft, Google, and Twitter via tracking technologies on its website and app. The suit claims this occurred without patient consent. The breach is attributed to misconfigured tracking tools rather than a traditional cyberattack.

The record

What we know

Disclosed
2024-06-28
Attack vector
Misconfig
Sector
Healthcare
Country
US
Records exposed
13,400,000
Data classes exposed
health informationpersonal information
ColdRecon assessment

Could a positive-security control have prevented this?

Verdict · no · opinion

This breach involved unauthorized disclosure via website tracking tools, not endpoint compromise. A positive-security model focused on endpoint allowlisting would not prevent data exfiltration through web-based third-party scripts.

Our assessments are opinion, grounded in the cited public facts. Read them critically.

Sources

Cited reporting

Similar vector · recent

Other misconfig breaches on file

This page is the permanent ColdRecon entry for the Kaiser Permanente disclosure. It updates if new public reporting emerges. All tracked breaches →

Kaiser Permanente just lived through this. Your next prospect doesn't have to.

ColdRecon turns every disclosed breach into a daily intelligence brief from the seller's seat — normalized to the factors that move a deal, written in the Handler's voice. Request clearance and the first lands tomorrow at 0600.

Request Clearance →