How Kaiser Sold 13 Million Patients’ Medical Data to Big Tech

Kaiser Permanente embedded spy code inside the private, password-protected medical portals where patients checked their lab results, mental health appointments, and prescription histories, and that code fed the data to outside technology companies for seven years before anyone was held accountable.

This is the story of one of the largest healthcare data privacy violations in American history. For six-plus years, from November 2017 through May 2024, Kaiser Foundation Health Plan deployed third-party tracking technology inside the authenticated, logged-in sections of its websites and mobile apps. These were the pages where you checked your cancer screening results. Where you messaged your therapist. Where you managed your medications. Kaiser treated those pages as a product to be monetized.

The settlement, filed December 1, 2025, covers patients across California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, and the District of Columbia. The class of affected patients is drawn from the “May 2024 Notice List,” the very list Kaiser was required to compile when it notified members of the incident under federal breach notification law in May 2024, confirming the government itself viewed this as a reportable data breach.

Kaiser agreed to pay up to $47.5 million ($47.5 million, enough to fund a full-time nurse practitioner at every single public school in the state of California for a year) to settle the claims. In exchange, the company admits nothing.

What Kaiser Actually Did Inside Your Doctor Portal

They Planted Trackers Where You Were Most Vulnerable

The lawsuit is specific about where the data leakage occurred. The code was embedded in the “authenticated pages” of Kaiser’s platforms. That word, authenticated, matters enormously. It means these were not publicly visible webpages. These were the pages you could only access after you logged in with your username and password. The pages where you read your diagnosis. Where you viewed your mental health history. Where you tracked your prescriptions.

The platforms in question include healthy.kaiserpermanente.org, mydoctor.kaiserpermanente.org, and mobile applications including the Kaiser Permanente App, the Kaiser Permanente Washington App, My KP Meds App, KP Health Ally App, and My Doctor Online. Every single one of these was a platform a patient would use under the assumption that their medical data stayed private.

The complaint names violations of more than twenty separate laws, spanning federal wiretapping statutes, California’s Invasion of Privacy Act, the California Confidentiality of Medical Information Act, the Electronic Communications Privacy Act, and equivalent state laws in Georgia, Maryland, Oregon, Virginia, Washington, and D.C. The sheer breadth of the legal violations alleged describes a company that was reckless across every jurisdiction in which it operated.

The Timeline of Exposure Is Staggering

The tracking began in November 2017. Kaiser did not notify its patients until May 2024. That is six and a half years of your most sensitive health data being captured and transmitted to third parties you never agreed to share it with. Six and a half years of checking your HIV status, your antidepressant dosage, your oncology follow-up schedule, all while code you never saw and never consented to was watching and reporting.

The initial lawsuit was filed in June 2023, which means patients had been exposed for nearly six years before a single legal challenge even hit a courtroom. The class action eventually consolidated multiple lawsuits and produced a 22-count complaint drawing on federal and state laws from nearly a dozen jurisdictions. The volume of law broken is a testament to how comprehensively Kaiser violated the trust of its members.

The Non-Financial Ledger: What Money Cannot Fix

Your Secrets Were Currency

Let’s be direct about what “authenticated pages” means in the real world of a Kaiser patient. When you log into your Kaiser portal, you are not browsing a public website. You are entering what every doctor’s office, every hospital pamphlet, and every federal law promises is a sacred, protected space. You type in your password because you believe, completely and reasonably, that what you do on the other side of that login screen stays between you and your doctors. Kaiser built its entire brand on that promise.

The code Kaiser embedded shattered that promise systematically and silently. Every time a patient checked whether their biopsy came back positive, every time someone logged in to schedule a psychiatric evaluation, every time a person managed their medications for a stigmatized condition, third-party technology firms received data. The patients had no idea. They were sitting in the privacy of their homes, in their bedrooms and bathrooms, in moments of fear and vulnerability, trusting an institution that was simultaneously monetizing their anguish.

Consider what types of pages fall within authenticated Kaiser portals: prescription management for opioids, benzodiazepines, or HIV antiretroviral medications; mental health appointment scheduling; fertility treatment tracking; cancer diagnosis and treatment history. These are categories of information so sensitive that federal law has built entire frameworks specifically to protect them. Kaiser treated those frameworks as obstacles to work around rather than promises to keep.

The Silence They Bought

The settlement agreement contains a provision that the everyday person deserves to read and sit with. Clause 2.27 requires that the named plaintiffs and their lawyers “shall not publicly disparage, defame, or criticize Defendant, its Affiliated Entities, or the Released Parties with respect to the Released Claims.” In plain language: the people who were harmed and who fought back in court are now, as a condition of receiving any compensation, legally prohibited from publicly speaking critically about what Kaiser did to them. Kaiser purchased their silence as part of the settlement price.

This is a pattern as old as corporate misconduct itself. Companies write non-disparagement clauses into settlements precisely because the most devastating harm they face is not the lawsuit itself but the continued, persistent, human voices of the people they wronged. One person saying “Kaiser exposed my HIV status to advertisers” on a podcast or in a news interview does more damage to the company’s reputation than any court filing. So Kaiser paid to make those voices go away. The $46 million (enough to give every single affected patient a $3.50 check, roughly the price of a bus fare) includes the price of silence.

The plaintiffs in this case filed using pseudonyms. John Doe. Jane Doe. Jane Doe II, III, IV, V. The fact that patients were so afraid of additional exposure from simply participating in a lawsuit about their data being exposed tells you everything about the depth of the violation. People fighting for their rights in federal court could not use their own names because Kaiser had already demonstrated it could not protect them.

Seven Years. Millions of People. One Letter in May.

The document references a “May 2024 Notice List,” a confidential list of current and former Kaiser Permanente members who received breach notification under federal health data regulations. Kaiser was legally required to send that notification because the government classified what happened as a reportable breach. Yet the company compiled that list in 2024, for a data leakage that started in 2017. The notification, required by law, arrived half a decade too late to allow patients to make informed choices about what digital tools they used to manage their health.

Legal Receipts: Straight From the Documents

The Words Kaiser Signed Its Name To

“Released Claims… arise out of or relate to the causes of actions, allegations, practices, or conduct at issue in the Consolidated Class Action Complaint, including but not limited to use of third-party code on the Kaiser Permanente websites and mobile applications as described in paragraphs 4 through 23 and 82 through 428 of the Consolidated Class Action Complaint and access of the unauthenticated and authenticated pages of the Kaiser Permanente websites or mobile applications.” Stipulation of Settlement, Section II.A, Paragraph 1.14 — Definition of Released Claims

“Defendant denies the material allegations of the Consolidated Class Action Complaint and denies that Plaintiffs and Settlement Class Members are entitled to any of the relief they seek. Additionally, Defendant denies that the Plaintiffs and the Settlement Class Members that they purport to represent have suffered any damages.” Stipulation of Settlement, Section I — Background of the Litigation

“Plaintiffs and Class Counsel shall not publicly disparage, defame, or criticize Defendant, its Affiliated Entities, or the Released Parties with respect to the Released Claims; nor shall Plaintiffs or Class Counsel encourage any other Person to do so.” Stipulation of Settlement, Section II.B, Paragraph 2.27 — Non-Disparagement Clause

“The ‘Settlement Class’ means any and all Kaiser members in the Kaiser Operating States, subject to the exclusions below, who accessed the authenticated pages of the Kaiser Permanente websites or mobile applications listed below from November 2017 to May 2024.” Stipulation of Settlement, Section II.A, Paragraph 1.18 — Definition of Settlement Class

“Neither this Stipulation nor any document referred to herein nor any action taken to carry out this Stipulation is or may be construed as either a finding by the Court or an admission by Defendant of any fault, wrongdoing, or liability whatsoever. There has been no final determination by any court as to the merits of the claims asserted by Settlement Class Members against Defendant.” Stipulation of Settlement, Section F — Miscellaneous Provisions, Paragraph 6.15

Follow the Money: Where the $46 Million Goes

The settlement fund totals $46 million (enough to pay the average American’s grocery bill for roughly 920 years). However, by the time attorneys’ fees and administrative costs are deducted, the amount reaching actual patients shrinks considerably. The settlement document confirms attorneys may seek fees from the settlement amount, alongside service awards of up to $5,000 (roughly two weeks of take-home pay for a minimum-wage worker) per named plaintiff.

Critically, Kaiser has zero liability for what happens to the money once it hits the escrow account. The company writes the check and walks away. All allocation decisions, all administrative costs, all distribution headaches belong to the settlement administrator and class counsel. Kaiser engineered a system where it pays once and accepts no ongoing responsibility for whether victims actually receive meaningful compensation.

Societal Impact Mapping

Public Health: When the Doctor’s Office Becomes a Data Farm

Healthcare data is different from every other category of personal information. It describes not who you are on the surface but who you are at your most biologically and psychologically vulnerable. A stolen credit card number costs money. Stolen health data can cost jobs, relationships, insurance coverage, and in extreme cases, lives. The exposure of medication histories, mental health visit records, and diagnostic data from authenticated Kaiser portals created a category of harm that cannot be fully undone by a settlement payment.

The states covered by this settlement, California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, and D.C., represent some of the most diverse patient populations in the country. Patients in those states used Kaiser’s digital tools to manage conditions ranging from HIV and hepatitis to psychiatric disorders and substance use. These are conditions where stigma remains a genuine social hazard. An employer, insurer, or personal contact gaining access to that information through the data chain that Kaiser enabled could produce consequences no court can fully remedy.

The lawsuit alleged violations of California’s Confidentiality of Medical Information Act and multiple state health information laws specifically because lawmakers recognized that health data is extraordinarily dangerous in unauthorized hands. The fact that Kaiser, an institution trusted with the most sensitive information imaginable, embedded tracking code inside the very portals where patients managed these conditions represents a systemic failure of the first order.

Economic Inequality: The Price of Privacy Is Now $3.50

Class action settlements in data breach cases follow a depressingly predictable economic pattern: the corporation pays a sum that sounds large in a headline and is completely inconsequential relative to its size and revenue, and the individual victims receive checks so small they barely cover the cost of a coffee. The $46 million settlement divided among the potentially millions of affected Kaiser members in nine states and D.C. produces per-person payouts that the settlement document itself gives no firm number for, because the actual amount depends on how many people file valid claims.

Kaiser Foundation Health Plan is one of the largest not-for-profit health plans in the United States. The $46 million settlement (enough to pay for a year of emergency room visits for roughly 4,600 uninsured Americans at average ER costs) represents a rounding error against the scale of the organization’s annual operations. For Kaiser, this is a cost of doing business. For the patient who had their antidepressant prescription data transmitted to a third-party analytics company, the payout will arrive as a check they may not even cash because it is not worth the trip to the bank.

The settlement also allows Kaiser to maintain its right to walk away entirely if too many class members opt out. Section 2.8 grants Kaiser a unilateral right to terminate the settlement based on opt-out numbers set in a confidential supplemental agreement the public is never allowed to see. This means the company built a secret escape hatch into the deal, the terms of which were hidden from the very people the settlement was supposed to serve.

Economic Inequality: The Secret Escape Hatch

The confidential Supplemental Agreement is a feature of this settlement that demands public attention. Kaiser negotiated a secret threshold: if enough class members opt out of the settlement, Kaiser can cancel the entire deal and pay nothing. The public, the patients, the press, none of them are permitted to know what that threshold is. The document states it was “submitted to the Court in camera,” meaning even the filing is sealed from public view.

This structure serves Kaiser’s interests exclusively. It discourages patient advocates from organizing opt-out campaigns because the consequence could be that Kaiser walks away and patients receive nothing at all. It is a masterpiece of coercive settlement design, built to suppress resistance by making resistance itself risky for the people who were already harmed. The power asymmetry between a multi-billion-dollar health plan and an individual patient trying to understand a 91-page legal document and decide whether to opt out is precisely the asymmetry this secret clause is designed to exploit.

The “Cost of a Life” Metric

What Now? The Resistance Playbook

Who Is Still Running This Organization

The settlement document does not name individual Kaiser executives responsible for the decision to embed third-party tracking code in authenticated patient portals. The decision to deploy this code, spanning seven years and nine states, was made by senior leadership in Kaiser’s digital, technology, and product divisions. Those individuals hold their positions today.

Regulatory Bodies With Power to Act

If You Are a Kaiser Member: Your Immediate Steps

If you accessed the authenticated pages of any Kaiser Permanente website or mobile app between November 2017 and May 2024 in California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, or D.C., you are potentially a class member. Watch for a notice email or postcard from the settlement administrator. Read it carefully before deciding whether to participate or opt out. Opting out preserves your right to pursue your own legal action; participating gives you a small payment in exchange for releasing all claims.

Beyond the immediate settlement, the most powerful thing you can do is organize locally. Healthcare data privacy is a collective issue. Connect with patient advocacy organizations, healthcare workers’ unions, and digital rights groups in your area. Push your elected representatives to close the loopholes that allowed Kaiser to legally embed trackers in medical portals for seven years. Demand federal legislation that bans the use of third-party tracking technology on any authenticated healthcare portal without explicit, informed, opt-in patient consent.

The people who built and deployed the tracking code faced no criminal charges. They face no personal financial consequences. They still hold positions of power inside one of America’s largest healthcare systems. The only thing that changes that is sustained, organized, political pressure from the millions of people who trusted Kaiser with their health data and were betrayed.