back to article Kaiser Permanente handed over 13.4M people's data to Microsoft, Google, others

Millions of Kaiser Permanente patients' data was likely handed over to Google, Microsoft Bing, X/Twitter, and other third-parties, according to the American healthcare giant. Kaiser told The Register it has started notifying 13.4 million current and former members and patients that "certain online technologies, previously …

  1. Anonymous Coward
    Anonymous Coward

    Having your privacy surgically removed without consent or anesthetic

    In other words, this is probably the result of Kaiser placing user tracking and analytics tools, offered by Big Tech and data brokers, on its websites and apps, and only realizing now what information exactly was being transmitted --- I take the lack of "/s" as intentional because the author trusts we're grown up enough not to need it, and not because we need an anesthetic.

    1. Anonymous Coward
      Anonymous Coward

      Re: Having your privacy surgically removed without consent or anesthetic

      I could be dense, but I fail to see the sarcasm and read it literally. There might have been a requirement to have a dashboard for the website owners to track webpage hits and referrals.

      The go-to, frictionless solution that Google optimized for developer experience is easy instructions for inserting Google Analytics on all webpages. Software engineers generally don't have a security background to worry about the implications of pasting unreviewed JavaScript code provided by a famous company like Google. Google Analytics on your website is completely normalized. I'm actually surprised a company realized the privacy implications and cared enough to backtrack.

      1. Michael Wojcik Silver badge

        Re: Having your privacy surgically removed without consent or anesthetic

        Software engineers generally don't have a security background to worry about the implications of pasting unreviewed JavaScript code provided by a famous company like Google.

        Certainly it's unreasonable to expect everyone to be a security expert.

        However: Every organization of any decent size that develops software should have mandatory secure-development training for all developers, and general-security training for all IT personnel. Every organization of decent size that develops software should have an SDL in place that includes threat analysis, penetration testing, third-party component monitoring, and so on. And all of that goes double for any organization handling any of the categories of data that have special regulatory requirements, such as PII, financial information, and health information.

        So KP very much does not get a pass here. This is completely unacceptable. And it doesn't matter that most health-care organizations offend similarly.

        And "it came from Google" is by no means a satisfactory excuse.

  2. Bendacious Bronze badge

    Treating the status quo as a data breach

    I see this as amazing news. Yes it’s wrong what they allowed onto their website and it should be treated this seriously but I’ve never seen this done before. Firstly they recognise that doing what most other websites do unthinkingly is wrong. Then they say that sharing visitor data with Google is wrong. Wrong enough that it requires a breach announcement to customers. Amazing.

    Maybe this will give web developers more ability to push back when marketing insist on Google Analytics on every page. Slowly we can chip away at the current culture that defaults to ten 3rd party scripts on every page, including the page into which you type your credit card number. Reg readers know this happens and can block it but they shouldn’t have to. If this makes one or two CTOs nervous I’ll be happy.

    1. ecofeco Silver badge
      Mushroom

      Re: Treating the status quo as a data breach

      This.

      A website that needs dozens of third party services?

      FAIL!

      And I see it everywhere.

      1. cookieMonster Silver badge
        Mushroom

        Re: Treating the status quo as a data breach

        Is it because most “web developers” are total fucking morons??

        Aka “JavaScript engineers”

        Just in case anyone misunderstands, Personally, I despise the people who create websites these days loaded with third party spyware. May they die screaming!!

    2. Korev Silver badge

      Re: Treating the status quo as a data breach

      It's also possible that the web developers did it knowingly without thinking of the consequences.

      In my previous job, I did sometimes have to deal with "deidentified" clinical data. It's amazing how quickly you become blasé about it.

  3. Tubz Silver badge

    In other words, "oh shit we f up and got caught being greedy and spying on people, better sort this crap out before we get a class action lawsuit", is the most honest response.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like