I reported this to Kaiser on 2021-11-22, in support case number 53710772. Below is the content of the ticket I filed. I didn't follow-through on disclosure. Now I wish I had, since they could have fixed this problem faster instead of taking 2.5 years.
I am still a satisfied Kaiser customer.
----
Hi KP.org Team,
Just now, I logged into KP.org. Something was loading slowly, so I
viewed the network requests the website was making. I was surprised
to see requests to Google, Adobe, Bing, Qualtrics, BTTag.com, and
Unpkg.com. A request to Google includes info intended to de-anonymize
my computer: time, IP addr, device type, display size, browser window
size, timezone, and others. These requests occur even while reading
messages with my doctor!
The page loads JavaScript from Adobe, Bing, Google, and Qualtrics.
People who control those companies' servers can read my confidential
messages. Adobe has a track record of incompetence in IT security.
Please review your decision to make KP.org load external code and
trackers. If you do not respond by 2022-01-14 (90 days), I will
disclose this information to privacy-oriented media organizations and
HHS.gov. I saved screenshots for this purpose.
That's pretty gross. Why would a hospital/healthcare system even need all that tracking? They don't make enough from their primary business that they also need to sell patient data for advertising? I would guess some dev just slapped on a bunch of boilerplate that so many other projects use and called it a day.
IMO part of the solution should be obvious: if a company loads JavaScript from a third party, and they have not vetted that third party for HIPAA compliance, then the company including the JavaScript should be deemed to have violated patient probably even if no patient data was transmitted.
Google will sign a BAA for pretty much anything other than analytics. There's a decent market for HIPAA compliant analytics services, especially for analyzing marketing funnels, conversions, etc.
I haven't a clue if either of those companies do, though it wouldn't surprise me if they did.
I am still a satisfied Kaiser customer.
----
Hi KP.org Team,
Just now, I logged into KP.org. Something was loading slowly, so I viewed the network requests the website was making. I was surprised to see requests to Google, Adobe, Bing, Qualtrics, BTTag.com, and Unpkg.com. A request to Google includes info intended to de-anonymize my computer: time, IP addr, device type, display size, browser window size, timezone, and others. These requests occur even while reading messages with my doctor!
The page loads JavaScript from Adobe, Bing, Google, and Qualtrics. People who control those companies' servers can read my confidential messages. Adobe has a track record of incompetence in IT security.
Please review your decision to make KP.org load external code and trackers. If you do not respond by 2022-01-14 (90 days), I will disclose this information to privacy-oriented media organizations and HHS.gov. I saved screenshots for this purpose.
Sincerely, Michael