Kaiser Data Breach Exposes 13.4 Million Patients

**13.4 Million Kaiser Permanente Members’ Personal and Health Data Exposed in Massive MOVEit Breach**

**OAKLAND, CA** – Over 13.4 million Kaiser Permanente patients across the nation are facing the unsettling reality that their personal and health data has been compromised in a widespread data breach, the healthcare giant confirmed. The incident, while impacting Kaiser members directly, did not stem from a direct cyberattack on Kaiser’s systems but rather from a critical vulnerability in a third-party software product widely used across various industries: MOVEit Transfer, made by Progress Software.

The vulnerability within the MOVEit Transfer managed file transfer software was first identified and disclosed in May 2023. Attackers, later linked to the notorious Clop ransomware group, exploited this zero-day flaw, primarily a SQL injection vulnerability, to gain unauthorized access to data stored in MOVEit Transfer databases. Kaiser Permanente was subsequently notified in July 2023 that its members’ data was among that exfiltrated due to its use of the affected software.

The breadth of sensitive information potentially exposed is extensive. Affected Kaiser members may have had their name, home address, email address, phone number, and birth date accessed. More critically, highly sensitive medical information, including medical record numbers, health plan names, and specific health service details – encompassing diagnoses and treatments – could now be in the hands of malicious actors.

This incident is not isolated to Kaiser Permanente. The MOVEit Transfer vulnerability has created one of the largest data breaches in US history, affecting over 2,600 organizations worldwide and impacting a staggering 93 million individuals globally. Organizations ranging from government agencies to financial institutions and other healthcare providers have fallen victim to the same exploit, highlighting the systemic risk posed by supply chain software vulnerabilities.

In response to the breach, Kaiser Permanente is urging all its members to remain vigilant. The organization is offering free credit monitoring and identity theft protection services to affected individuals. Members are strongly advised to take advantage of these services.

**What Kaiser Permanente Members Should Do:**

1. **Monitor Credit Reports:** Regularly review your credit reports from all three major bureaus (Equifax, Experian, TransUnion) for any suspicious or unauthorized activity. You can obtain free copies of your credit report annually at AnnualCreditReport.com.
2. **Beware of Phishing:** Be extra cautious about any unsolicited emails, texts, or phone calls. Cybercriminals often use data obtained from breaches to craft convincing phishing attempts, seeking to trick individuals into revealing more personal information or installing malware. Kaiser Permanente will not ask for sensitive information via unsecure channels.
3. **Place Fraud Alerts or Credit Freezes:** Consider placing a fraud alert on your credit files, which requires businesses to verify your identity before extending credit. For stronger protection, a credit freeze restricts access to your credit report, making it difficult for identity thieves to open new accounts in your name.
4. **Review Account Statements:** Carefully check statements from your health insurer, banks, and other financial institutions for any unauthorized charges or services.
5. **Utilize Kaiser’s Services:** Enroll in the free credit monitoring services offered by Kaiser Permanente by following the instructions provided in their official notification letters.

For a comprehensive list of all organizations affected by the MOVEit breach, individuals can visit the California Attorney General’s Office website, which serves as a public resource for data breach notifications.

Kaiser Permanente stated it has taken steps to secure its systems following the discovery of the vulnerability and is continuing to investigate the full scope of the incident. This breach serves as a stark reminder of the ongoing challenges organizations face in securing sensitive data in an interconnected digital landscape.