I reported this to Kaiser on 2021-11-22, in support case number 53710772. Below is the content of the ticket I filed. I didn't follow-through on disclosure. Now I wish I had, since they could have fixed this problem faster instead of taking 2.5 years.
I am still a satisfied Kaiser customer.
----
Hi KP.org Team,
Just now, I logged into KP.org. Something was loading slowly, so I
viewed the network requests the website was making. I was surprised
to see requests to Google, Adobe, Bing, Qualtrics, BTTag.com, and
Unpkg.com. A request to Google includes info intended to de-anonymize
my computer: time, IP addr, device type, display size, browser window
size, timezone, and others. These requests occur even while reading
messages with my doctor!
The page loads JavaScript from Adobe, Bing, Google, and Qualtrics.
People who control those companies' servers can read my confidential
messages. Adobe has a track record of incompetence in IT security.
Please review your decision to make KP.org load external code and
trackers. If you do not respond by 2022-01-14 (90 days), I will
disclose this information to privacy-oriented media organizations and
HHS.gov. I saved screenshots for this purpose.
That's pretty gross. Why would a hospital/healthcare system even need all that tracking? They don't make enough from their primary business that they also need to sell patient data for advertising? I would guess some dev just slapped on a bunch of boilerplate that so many other projects use and called it a day.
IMO part of the solution should be obvious: if a company loads JavaScript from a third party, and they have not vetted that third party for HIPAA compliance, then the company including the JavaScript should be deemed to have violated patient probably even if no patient data was transmitted.
Google will sign a BAA for pretty much anything other than analytics. There's a decent market for HIPAA compliant analytics services, especially for analyzing marketing funnels, conversions, etc.
I haven't a clue if either of those companies do, though it wouldn't surprise me if they did.
> The data exposure was discovered following an internal investigation conducted voluntarily by Kaiser Permanente. The company discovered that online trackers used on its websites and mobile applications were transmitting certain types of personal data when users interacted with its services.
I have respect for the individuals that started this investigation, and the ones that made sure this is publicly disclosed. This could have easily been swept under the carpet.
Actually, that they uncovered this on their own and publicly disclosed it sounds like they have an above-average privacy culture in place.
I know the odds that the person(s) who kicked off this investigation are reading this comment are very low, but if so: Kudos, well done!
Kaiser has had another privacy bug for many years, which is they give out phone numbers of individual doctors in the Kaiser system (of course it goes to voice mail). That sounds great but it's invasive: call a Kaiser oncologist, and your phone carrier sells the number you dialed to data brokers who profile you as a likely cancer patient. Call an AIDS specialist, gender transition therapist, abortion provider, etc.: same idea. Kaiser should instead have a single incoming phone number where you enter an extension of the doctor you are trying to reach. So everyone dials the same outgoing number. I griped to them about this around 10 years ago and they basically said hrmmph.
Correlation between web, social media, brick and mortar retailers, banking, credit, and cell phone carriers has reached a level of ridiculous perversion. America needs a modern German-like privacy framework. Data brokers should be illegal and individuals should have final say over how uniquely identifying information about them is exchanged.
Yes. The data hoarding creates endless opportunity for abuse and only marginally improves the utility of things like advertising.
The case of insurance providers having a microscope into everyone's lives is simply dystopian. As with political campaigns, potential employers, law enforcement, and so on.
>I griped to them about this around 10 years ago and they basically said hrmmph.
To be fair to Kaiser, that really isn't their problem.
You should be griping to the telco (yes, I know it's a waste of time) and your politicians (marginally more useful than the former), because that is their problem.
Yeah but you could theoretically turn off Location services and then the cell network may not be able to tell if you're at the doctors or at the McDonalds next door so it still offers some (limited) privacy.
Also, source that call records are sold? I thought even the government (non federal security apparatus) needed a warrant to get access to that information?
KP's phone carrier, the caller's carrier, or an intermediate phone network maybe selling metadata to data brokers. The current practice in America is that once data* about a person has been disclosed to a business by any means, the person loses all rights to it and it becomes the property of that business to do with and resell it however they want.
* There are limited carve-outs for medical records and such.
> The current practice in America is that once data* about a person has been disclosed to a business by any means, the person loses all rights to it and it becomes the property of that business to do with and resell it however they want.
Yes. I think what's being alluded to is that the ultimate problem lies there, and carving out special systems and cases to legislate to avoid bad behavior that might results from that will always fall short of what we could get with some more overarching legislation that makes it so the end person retains at least enough rights about that data to know when it's happening and preferably be able to stop it and requiring very stringent rules about those that do attempt it with permission from end users.
At that point it's no longer about finding which if the data aggregators are doing unsavory things with the data they get from you and trying to find some way to get them to stop and it's then about any data broker that wants your information trying to get you to allow it (because there are undoubtedly cases where the data is good for society and even good for you) needs to justify what and why and how they use it.
Edit: And there would be legal recourse if they don't follow those legal standards, of course. It's implied, but might as well be stated outright.
I think the better starting point would be that businesses have no right to share personally identifying information about their customers (short of court orders) and the carve outs go the other way. I should then grant the "identity handling rights", by way of a license, to businesses, as needed. Put some standards around the language and method of establishing consent so it can't be buried in EULAs, and then I'll be happy to check a box to grant businesses to transact with my PII on my behalf if there is a legitimate need.
I think that's essentially just what I described, with the main difference being that I think we'll only actually get there if we approach it from the angle of PII being something intrinsically owned by the individual, not the company that generated it, which I think is easiest approached by making it a right of some sort.
Then the carved out allowances for specific companies or industries are clear and their need can always be weighed against our rights, making them much easier to pull back, because it's obvious when it comes to our rights and the needs of an industry to continue making money, our rights come first. If it's approached from a non-rights angle at some point we are attempting to curtail an industry, I think that might be a much more contentious discussion.
If we can't get rights, I wouldn't mind HIPAA being expanded into an overall PII protection system with two or more levels, one being current HIPAA health info, and the other main one being all other PII info and that allows a company to collect it for internal use without lots of constraints (depending on info, and purely so it doesn't accidentally tank existing industries that aren't problematic because all of a sudden they can't store some benign info they need that the law accidentally targets) but once they want to share it at all they need to adopt a much more stringent framework like medical info requires for tracking and accounting of it, which would probably weed out the vast majority of random "collect the PII and sell it because it's cheap" stuff that goes on, since it's no longer low cost at all given the requirements that would exist around it (including authorization to share). Just the cost structure around strict legal and storage compliance and requiring authorization and tracking of all sharing of information would disincentivize a huge amount of the abuse we see.
Yes, this would need grassroots single issue advancement of something like a HIPAA law for general privacy and personal data that starts with an opt-in standard practice. There's really no way to change the structure of how the current situation of data brokering works in America without a broad and draconian law.
Perhaps there should also be a nonprofit clearinghouse like a "credit agency" that provides a centralized portal for reviewing all of the permission links at and between businesses, and also a central point for changing phone numbers, email, shipping, mailing address, etc.
Therefore, I am confused whether or not a warrant is needed. If the phone networks were straight up selling call records, then surely no law enforcement agency would bother with warrants.
Call records have never needed a warrant (lookup "pen registers"). Call contents (i.e. wiretaps) have in principle always needed a warrant, modulo many exceptions. These days though, call records seem to be for sale to anyone who wants them, whether or not that is legal.
A private investigator could fill us in, but if you look at the different personal data services you'll see a lot of "check this box to agree that you have a valid legal reason to pay us $75 for your ex's info" type setups. Pirate Code law.
The solution is FBI raids on the headquarters of the carriers, data brokers, and companies that buy/use/resell/share/etc. the data.
Plus the individuals found responsible thrown into prison, and personally bankrupted.
Plus a punitive hit to the stockholders, including clawbacks of past realized gains, to align incentives better with productive society, and not let a corporation be a shield for routine criminal conspiracy.
Working backwards from the desired state, what legislation do we need?
There's something seriously wrong with the KP web department. Their current site is a slow, buggy mess that regularly locks up for no discernible reason on my system (M2 Air, latest Firefox and macOS). Just the other day I had to nuke all the cookies to log in again, because the site got itself in a login loop ("the website isn't redirecting properly").
Genuinely think cyber has a massive overengineering problem - I havent worked with Kaiser but am under the impression they run quite a sophisticated op, with a lot of advanced modeling done for vulns & cyber risk in general. Yet they got pounded pretty hard here.
Creeping suspicion is too much focus on doing ”smart” things with data, AI and such and not enough on actually worrying about not getting breached.
Huh? Your passive tense suggests this happened to KP’s teams.
From what I’m reading, those are the teams who would have had to actively take action to import the tracking code on their pages.
My money is on “we imported a thing on the website because our advertising team needed to know when advertised users converted from any of many different advertising channels”. Usually it’s easier to import a script on a common layout, rather than just a single landing page.
Ad teams overrule the website / security teams because one is a profit center and the other is a cost center.
Then as engineers / product teams turn over, the new employees don’t know the original intention of the old imported code and are wary to remove it (and if they do, the process is long and drawn out).
None of this surprises me one bit. I have worked in the health space for several years, and I have personally seen the inner workings of several insurers and the manmade horrors within.
It blows my mind that these multibillion dollar institutions are so poorly managed on the technology/IT front. I think most people will have their health data likely leaked at some point.
Anyone that has worked in a sector where technology is often a second tier citizen or after thought knows these types of breaches are inevitable.
Hospitals. Banks. Airline industry.
The shit I have seen in just these industries made me think twice about having my private information held here.
Of course, the “IT” is often outsourced or “in sourced” (often juniors fresh out of college). Thus simple shit such as network segmenting production and development environments; and limiting access to production databases/assets is nonexistent.
I remember working in an airline where the backend systems were still running on outdated mainframe systems. Nobody had a clue how the existing mainframe systems worked. No documentation. Only poorly maintained support docs on how to keep it running. I ended up silent quitting after 3 months because management kept shutting down all of my initiatives to improve ops and quality. This company later had a massive meltdown. I wasn’t surprised and just glad I wasn’t subpoenaed.
Just the fact that SOC 2 auditors are CPAs speaks enough. I remember working at a large e-commerce company, and the InfoSec offers told me that we didn't care about PCI compliance as we could only get fined, but we could get into orange jumpsuits for mishandling PII. And that was over a decade ago, talking only about names, addresses, emails, and phone numbers. With HIPAA leaks, it's tons more than just that, and I'm not sure what the consequences are, but back then, we didn't want to sell prescription eyewear only due to the HIPAA burden.
Sat in a hospital room with a relative for two weeks and saw staff repeatedly violate compliance directives in order to provide timely care. They clearly weren't being provided the resources needed to do so.
Also, for the entrepreneurs out there, they seem to really need some kind of tubing that won't collect air bubbles. Something with a hydrophobic interior? I don't know. There's a related area regarding flushing IV systems that could use attention as well.
Do you think they still have my records from 30 years ago? Not really kidding, actually curious if that data was ever properly migrated from system to system.
Curious how you know and how far back you are referring to? Did you stick with them throughout — if so, I would imagine they would have had extra incentive to import just yours, at the very least (and others like you, obviously).
Glad to know they’re a forest fire away from being lost. If you haven’t used your medical records or had them forwarded to another provider in over three decades, I think it’s ok if they go bye-bye.
Childhood records. Stuff from my adult years is digitized, but when I was seeing a specialist she said I would have to go visit the hospital where I was born/seen as a child and hope they still had the paper records.
I've been with KP most of my life, yeah. And I think you're right that in most cases, it's not really necessary to have the old records. It would have been useful in this case, but it's a niche case.
About 10 years ago they dug up all my Group Health Coop (since bought by Kaiser) vaccine records since 1970 and updated the digital record to include them
Every American voter could call and/or write physical letters to their representatives to express their displeasure about the lack of purchase, web, and financial data and telco metadata privacy rights.
Ouch. Perhaps they still have records of doctor incompetence when they nearly killed me at birth at their demolished Santa Clara location. KP is a good deal when or if you are healthy but not so great if you aren't.
This is why we need Freshpaint (YC S19) for analytics and other services for healthcare companies. A primary focus on regulatory compliance, privacy, security.
I am still a satisfied Kaiser customer.
----
Hi KP.org Team,
Just now, I logged into KP.org. Something was loading slowly, so I viewed the network requests the website was making. I was surprised to see requests to Google, Adobe, Bing, Qualtrics, BTTag.com, and Unpkg.com. A request to Google includes info intended to de-anonymize my computer: time, IP addr, device type, display size, browser window size, timezone, and others. These requests occur even while reading messages with my doctor!
The page loads JavaScript from Adobe, Bing, Google, and Qualtrics. People who control those companies' servers can read my confidential messages. Adobe has a track record of incompetence in IT security.
Please review your decision to make KP.org load external code and trackers. If you do not respond by 2022-01-14 (90 days), I will disclose this information to privacy-oriented media organizations and HHS.gov. I saved screenshots for this purpose.
Sincerely, Michael
reply