$46 Million — A Hard Lesson on Web Tracking and Patient Privacy

According to recent reporting, Kaiser Permanente agreed to pay at least $46 million (potentially up to $47.5 million) to settle a class‑action lawsuit alleging it improperly shared patient data via tracking technologies embedded in its websites, mobile apps, and patient portals.

Specifically:

• The health system used cookies, pixels, and other “web‑tracking tools” on pages likely to handle or display protected health information (PHI), rather than limiting them to purely public, marketing‑only sites.

  
  

• These tools potentially passed data — such as user names, IP addresses, site navigation behavior, and content viewed (including health‑related search terms and interactions) — to third‑party vendors including major tech companies.

  
  

• Up to 13.4 million members were affected.

  
  

Kaiser has since removed those tracking technologies and notified impacted individuals, but the scale of the settlement makes this one of the largest privacy‑related pay‑outs in recent years.

Where Kaiser Went Wrong

1. Misuse of Web Tracking Tools on Protected PagesHIPAA does not implicitly permit the use of web‑tracking tools (cookies, pixels, analytics trackers) on pages where PHI may be viewed or managed — such as portals, account‑access pages, or health‑information content. By deploying tracking tools there, Kaiser exposed sensitive user data to third‑party vendors. That exposure risks impermissible disclosure under HIPAA.

   
   

2. Inadequate Risk Assessment & OversightUse of such tracking tools in a healthcare context demands rigorous risk analysis, vendor evaluation, and safeguards — especially when interacting with PHI. Kaiser’s internal controls failed to detect that these tools could expose member data, or to prevent those exposures before millions were impacted.

   
   

3. Lack of Transparency / Appropriate Consent or Vendor AgreementsTracking vendors receiving data in a healthcare context generally need proper agreements, and patients must be informed if their PHI might be shared — except where de‑identified. In this case, data shared included potentially re‑identifying information (names, IP addresses, user behavior), without documented patient authorizations or business‑associate agreements covering those disclosures.

   
   

4. Compliance Culture Gap: Treating Web Tools Like Marketing, Not PHI RiskIt appears Kaiser treated these tracking technologies as standard website analytics rather than as tools subject to privacy law scrutiny. That mischaracterization undercut compliance efforts and revealed a dangerous disconnect between digital marketing practices and HIPAA / privacy obligations in a health‑care context.

Why This Matters

• Web‑tracking tools are not benign in a healthcare environment. What may be commonplace for a retail website — cookies, pixels, user analytics — can become a serious risk when PHI is involved.

  
  

• Risk assessments must include non‑traditional IT artifacts. Cookies, web trackers, analytics tags, and third‑party libraries should all be reviewed as part of your HIPAA and vendor‑management risk program.

  
  

• Vendor management and consent remain critical. If you engage third parties (analytics firms, ad platforms, cloud services), you must ensure documented agreements, identify permissible uses, and prevent unauthorized data flows.

  
  

• Transparency and patient trust matter. Patients expect their health information to be handled carefully, not used for marketing profiling without clear consent. Failure to safeguard that trust can result in regulatory and legal consequences — as Kaiser’s settlement shows.

Final Thought: Don’t Assume Website Practices Are Safe

If your organization uses or plans to use tracking tools on websites, portals, or apps — especially those handling or displaying PHI — now is the time to:

• Reassess your use of web trackers

• Conduct a proper risk analysis

• Review vendor/legal frameworks

• Revise your privacy program as needed