Kaiser Caught Sharing Your Medical Data With Google and Microsoft, Massive $47.5M Settlement Revealed On Kaiser Class Action Lawsuit, Here’s How Much You Could Get

ByAll About Lawyer Reading Time: 9 minutes

Kaiser Permanente agreed to pay up to $47.5 million to settle a class action lawsuit alleging it secretly shared 13.4 million patients’ sensitive health information with tech giants like Google, Microsoft, and Twitter through hidden tracking codes embedded in its websites and mobile apps from November 2017 to May 2024. Eligible members can claim an estimated $20 to $40 payment by filing before the March 12, 2026 deadline.

Imagine logging into your health portal to check lab results or message your doctor—and unbeknownst to you, Google, Microsoft, and other tech companies are watching every click, reading your search terms about medical symptoms, and tracking what medications you looked up.

That’s exactly what happened to millions of Kaiser members, according to explosive allegations in one of the largest healthcare privacy breach lawsuits in U.S. history.

The Privacy Scandal That Shocked 13.4 Million Patients

In April 2024, Kaiser dropped a bombshell: its own internal investigation revealed that tracking technologies embedded in its patient portals and mobile apps had potentially exposed the personal health data of 13.4 million people.

This wasn’t just IP addresses or basic browsing data. According to court documents, the exposed information included patient names, login statuses, medical search terms (symptoms, drugs, injuries, exercises), and details about how members navigated through Kaiser’s health encyclopedia and patient portal.

Think about what you’ve searched on your health portal: Maybe you looked up “breast cancer symptoms” or “STD testing” or “mental health treatment.” Under normal circumstances, that’s protected health information covered by HIPAA privacy laws.

But Kaiser’s tracking codes allegedly sent that data straight to third-party tech companies.

Third parties who received the data:

  • Google (including Google Analytics and Google Ads)
  • Microsoft (Bing)
  • Twitter (now X)
  • Quantum Metric
  • Adobe

The lawsuit claims Kaiser “had exclusive and superior knowledge” that these tracking codes would share members’ protected information with third parties—but never told patients it was happening.

Kaiser Caught Sharing Your Medical Data With Google and Microsoft, Massive $47.5M Settlement Revealed On Kaiser Class Action Lawsuit, Here's How Much You Could Get

Two Major Settlements: Here’s What You’re Eligible For

Kaiser now faces not one, but two massive class action settlements totaling over $57 million. Here’s the breakdown:

Privacy Breach Settlement: Up to $47.5M

Who’s eligible: Current or former Kaiser members in California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, or DC who accessed authenticated (logged-in) pages of Kaiser websites or mobile apps between November 2017 and May 2024.

How much: Individual payments estimated between $20 and $40, depending on how many people file valid claims.

Settlement fund: $46 million guaranteed, potentially increasing to $47.5 million under certain conditions.

Claim deadline: March 12, 2026

Final approval hearing: April 30, 2026

Text Message Settlement: $10.5M

Who’s eligible: Anyone nationwide who received more than one marketing text from Kaiser between January 21, 2021, and August 20, 2025, after texting “STOP” or opting out. Florida residents who received texts 15+ days after opting out get special consideration.

How much: Up to $75 per qualifying text message (the total depends on how many claims are filed).

Claim deadline: February 12, 2026

Final approval hearing: January 28, 2026

What Kaiser Allegedly Did Wrong

The privacy breach lawsuit alleges Kaiser violated a laundry list of state and federal privacy laws by embedding third-party tracking pixels and analytics tools without patient knowledge or consent.

Legal violations alleged:

  • Electronic Communications Privacy Act (federal wiretapping law)
  • California Confidentiality of Medical Information Act
  • Washington Health Care Information Act
  • Maryland Personal Information Protection Act
  • Oregon Unlawful Trade Practices Act
  • District of Columbia Consumer Protection Procedures Act
  • Multiple state consumer protection and privacy laws

The text message lawsuit claims Kaiser violated the federal Telephone Consumer Protection Act (TCPA) and Florida’s Telephone Solicitation Act by continuing to send marketing texts to people who explicitly opted out.

Both lawsuits allege Kaiser showed negligence, breached implied contracts with patients, and invaded members’ privacy.

How the Privacy Breach Happened

Kaiser embedded tracking codes—small pieces of software called “pixels” or “web analytics tools”—directly into its patient portal and mobile apps.

Every time you logged in, searched for health information, or navigated the portal, these tracking codes captured your activity and sent data back to third-party companies like Google and Microsoft.

The companies could then allegedly use this data for targeted advertising. Searched “diabetes treatment”? You might suddenly see ads for diabetes medications across the internet.

Kaiser claims it didn’t realize the tracking codes were capturing this level of sensitive information until its internal investigation in early 2024. The company removed all tracking technologies from its websites and apps and implemented new safeguards.

But for patients whose data was already shared with tech giants? The damage was done.

The Massive Impact: Second-Largest Breach of 2024

With 13.4 million affected individuals, this became the second-largest healthcare data breach reported in 2024, trailing only the catastrophic Change Healthcare ransomware attack that impacted 193 million people.

Unlike a typical hack where criminals steal data, this breach involved a healthcare provider seemingly sharing patient data with commercial tech companies—raising even more troubling questions about corporate accountability and patient trust.

Kaiser reported the breach to the Department of Health and Human Services’ Office for Civil Rights as a HIPAA violation, acknowledging the seriousness of the disclosure.

How to File Your Claim (Step-by-Step)

Getting your share of the settlement is straightforward, but you must file before the deadlines.

Privacy Breach Settlement Claims

Online filing (easiest method):

  1. Visit KaiserPrivacySettlement.com
  2. Enter your unique ID if you received a settlement notice by mail or email
  3. If you didn’t receive a unique ID, request one from the settlement administrator
  4. Provide your name, address, and contact information
  5. Choose payment method (check or digital payment)
  6. Submit by March 12, 2026

Mail filing:

  1. Download the PDF claim form from KaiserPrivacySettlement.com
  2. Fill it out completely
  3. Mail to: Kaiser Privacy Breach Settlement, c/o Strategic Claims Services Inc., P.O. Box 230, 600 N. Jackson St., Suite 205, Media, PA 19063
  4. Must be postmarked by March 12, 2026

Contact the settlement administrator:

Text Message Settlement Claims

Online or mail filing:

  1. Visit KaiserTCPASettlement.com
  2. You’ll need the unique ID and PIN from your settlement notice
  3. If you didn’t receive one, download a paper claim form
  4. Mail to: Kaiser TCPA and FTSA Settlement, Settlement Administrator, P.O. Box 6049, Portland, OR 97228-6049
  5. Must be submitted or postmarked by February 12, 2026

Contact the settlement administrator:

  • Phone: 877-805-8877

What You Need to Prove

For the privacy breach settlement, you need to confirm you were a Kaiser member in one of the covered states and accessed authenticated (logged-in) pages of Kaiser’s websites or apps during the November 2017 to May 2024 timeframe.

If you received a settlement notice with a unique ID, Kaiser has already identified you as a potential class member—filing is even easier.

For the text message settlement, you need to show you received marketing texts after opting out. Keep copies of the texts or screenshots if possible, though the unique ID Kaiser sent should be sufficient.

When Will Payments Go Out?

Privacy breach settlement: Payments estimated for summer 2026 (likely late June or July), after the final approval hearing on April 30, 2026, and assuming no appeals delay the process.

Text message settlement: Payments likely in spring 2026, after the January 28, 2026 final approval hearing.

Both timelines depend on court approval and whether anyone appeals the settlements.

Kaiser’s Defense: “We Didn’t Know”

Kaiser denies all allegations of wrongdoing in both lawsuits.

According to Kaiser’s legal team, the company didn’t know the tracking technologies were capturing and sharing this level of patient data until its voluntary internal investigation revealed the issue.

Kaiser disclosed the data breach last year following a voluntary internal investigation into its use of tracking technologies, removed the tracking tools from its websites and mobile applications out of an abundance of caution, and sent notifications to all potentially affected individuals.

As part of both settlement agreements, Kaiser doesn’t admit liability or fault. The company agreed to settle to avoid the burden, expense, and uncertainty of continued litigation.

What This Means for Healthcare Privacy

This case is part of a disturbing trend: healthcare providers using the same tracking technologies as retail websites, not realizing (or ignoring) that patient health data deserves far stricter protection.

The federal government has taken notice. In 2022 and 2024, the Department of Health and Human Services’ Office for Civil Rights issued guidance warning healthcare providers about potential HIPAA violations related to online trackers.

In 2024, HHS OCR and the Federal Trade Commission sent warning letters to 130 hospitals and telehealth companies about their use of web trackers.

Similar healthcare tracker settlements:

  • Mount Sinai Health System: $5.3 million settlement for sharing patient portal data with Facebook
  • Multiple other hospitals and health systems facing similar lawsuits

The Kaiser settlement is among the largest to date, signaling that courts and regulators are taking healthcare privacy breaches seriously.

Your Rights: What Happens If You Don’t File

If you don’t file a claim but you’re a class member:

  • You won’t receive any payment from the settlement
  • You’ll still be bound by the settlement agreement
  • You’ll release all legal claims against Kaiser related to these issues

If you want to opt out (exclude yourself):

  • You can preserve your right to sue Kaiser independently
  • You must submit an opt-out request by the deadline (check the settlement websites)
  • You won’t receive any settlement payment if you opt out

If you want to object:

  • You can tell the court why you think the settlement is unfair
  • Objection deadlines have passed for the text message settlement (December 29, 2025)
  • Check the privacy settlement website for objection procedures

FAQ: Everything You Need to Know

How do I know if I’m eligible for the privacy breach settlement?

You’re eligible if you were a Kaiser member in California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, or DC, and logged into Kaiser’s patient portal or mobile app between November 2017 and May 2024. Kaiser sent settlement notices to identified class members, but you can still file even if you didn’t receive one.

What if I live in multiple states or moved during the timeframe?

You’re eligible if you were a member in any of the covered states at any point during the class period when you accessed the authenticated pages.

How much will I actually get?

Individual payments depend on how many people file valid claims. Early estimates suggest $20 to $40 for the privacy breach settlement and up to $75 per text for the text message settlement, but final amounts won’t be known until all claims are processed.

What was shared with tech companies?

According to the lawsuit, shared data included your name, IP address, login status, search terms in Kaiser’s health encyclopedia (symptoms, drugs, conditions), and information about how you navigated the portal. Highly sensitive information like Social Security numbers, financial data, and passwords were NOT disclosed.

Can I file for both settlements?

Yes, if you’re eligible for both. The privacy breach and text message settlements are separate cases with separate claim forms and deadlines.

What’s a “class action lawsuit”?

A class action allows one or more people (lead plaintiffs) to sue on behalf of a large group (the class) who all suffered similar harm. Instead of 13 million separate lawsuits, one lawsuit represents everyone, making it more efficient and ensuring consistent outcomes.

What does “settlement” mean?

A settlement is an agreement where the defendant (Kaiser) pays money or makes changes without admitting wrongdoing, and plaintiffs drop their legal claims. It avoids the risk, cost, and uncertainty of going to trial.

Do I need a lawyer to file a claim?

No. Filing a claim is free and doesn’t require an attorney. The settlement administrator will guide you through the process. Class counsel (the attorneys representing all class members) will receive attorneys’ fees from the settlement fund, not from your individual payment.

What if I already switched away from Kaiser?

You’re still eligible if you were a Kaiser member during the class period (November 2017 to May 2024 for privacy; January 2021 to August 2025 for texts).

Can Kaiser retaliate against me for filing a claim?

Absolutely not. Filing a claim is your legal right, and any retaliation would violate the law and the court’s orders.

Resources for Healthcare Privacy Protection

File Your Claims:

Consumer Protection Organizations:

  • Electronic Privacy Information Center (EPIC)
  • Privacy Rights Clearinghouse
  • National Consumer Law Center

The Bigger Picture: Healthcare Accountability

The Kaiser settlements represent a watershed moment for patient privacy in the digital age.

For decades, healthcare providers operated under strict HIPAA privacy rules for in-person care and paper records. But as healthcare moved online, many providers treated patient portals like commercial websites—embedding the same tracking tools used by retail sites to monitor shopping behavior.

The problem? Health information is fundamentally different from shopping data. Your search for “breast cancer symptoms” or “substance abuse treatment” deserves far more protection than your search for sneakers or lawn furniture.

These lawsuits send a clear message: healthcare providers can’t treat patient data like product sales data, and patients have legal recourse when their privacy is violated.

Whether you file a claim or not, this case highlights the importance of understanding how your health information is used, who has access to it, and what legal protections exist when companies violate your trust.

Disclaimer: This article provides information about the Kaiser class action settlements based on court documents and official settlement notices. It is not legal advice. For specific questions about your eligibility or claim, contact the settlement administrators or consult an attorney. Kaiser denies all allegations and does not admit wrongdoing by entering these settlements.

About the Author

Sarah Klein, JD

Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah

Leave a Reply

Your email address will not be published. Required fields are marked *