So Kaiser Permanente has Google/Doubleclick ad trackers on their site displaying my patient information


You think you’ve seen everything, but this one is pretty bad…

  • Kaiser is one of the largest healthcare organizations in the US (insurancer and provider).
  • I am a Kaiser member, so I use their website to communicate with my phyisician as they recommend.
  • Today, I log into their website, and read a message from my physician discussing some recent lab tests I had taken.
  • On that page, my ad blocker notifies me that it has blocked:
    • googleadservices.com
  • … and a few others that don’t have any business being on a website displaying health information either, like webtrends or some Adobe site. Even Truste is debatable.

Here is a screenshot of my ad blocker. Red is what the ad blocker blocked.

To verify, I looked at the HTML source, and it turns out that if my ad blocker hadn’t blocked it, the page would also include Doubleclick stuff! And some HTML comments which I will leave you to read … Here is the HTML, slightly reformatted to fit the space here:

<!-- Google Code for Member Log In -->
<!-- Google Code for Remarketing Tag -->
<!--------------------------------------------------
  See more information and instructions on how to setup the tag on:
  http://google.com/ads/remarketingsetup
--------------------------------------------------->
<script type="text/javascript">/*
<![CDATA[ */var google_conversion_id = 881418786;
var google_conversion_label = "Ump9CM7hr3IQosSlpAM";
var google_custom_params = window.google_tag_params;
var google_remarketing_only = true;/* ]]> */</script>
<script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"></script><noscript>
<div style="display:inline;"><img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/881418786/?value=1.00&currency_code=USD&label=Ump9CM7hr3IQosSlpAM&guid=ON&script=0"/></div>
</noscript>

“Re-Marketing” — are you serious?? On a page that has my health care data on it?

For reference, the URL for this page is https://healthy.kaiserpermanente.org/health/mycare/consumer/my-health-manager/message-center/from-my-doctor/!xxx (where xxx is something that looks like a session identifier which I have stripped).

P.S. I will append any Kaiser response to this post, should I receive any.

Response from Kaiser via Facebook:

Johannes, thank you for your question. We do have ad trackers on our website. They do not, however, display or share Protected Health Information in any way. Security of our members’ data is of the utmost concern. This is detailed in our website’s Terms of Use and Privacy Statement (https://k-p.li/privacystatement) .

We partner with a third-party ad network to manage our advertising on other sites. Our ad network partner uses cookies, Web beacons, and other tracking technologies to collect information about your activities on this and other Websites and to then provide you with KP advertising on other websites. But as noted in this Privacy Statement, we do not sell or rent personal information about visitors to our websites or our mobile app.

If you wish to not have this information used for the purpose of serving you targeted ads, you can opt out: http://preferences-mgr.truste.com/

The obvious question: Why on the page that displays confidential patient info? I’m not talking about your corporate home page here. So dear Kaiser, try again, this does not address the issue at all.
,

Comments are closed.

    Mentions

  • 💬 @Me2BAlliance
  • 💬 Trip’s Parody Account
  • 💬 Maybe we need to start some kind of annual award for the most egregious privacy fails. What to call it?
  • 💬 Seriously, @KPMemberService, this is a non-trivial information leakage. Take those analytics in-house.
  • 💬 Seriously, @KPMemberService, this is a non-trivial information leakage. Take those analytics in-house.
  • 💬 Trip’s Parody Account
  • 💬 So Kaiser Permanente has Google/Doubleclick ad trackers on their site displaying my patient information – Upon 2020 upon2020.com/blog/2019/05/s…