Kaiser Permanente Data Breach Exemplifies a Global Data Challenge for Software Developers

Software development leaders can have frank discussions with operations teams and organizational leadership on their true data privacy and security posture.

healthcare-phi-data-breach

Last month, Kaiser Permanente—one of our nation’s largest healthcare providers—revealed a data breach involving troves of personal information that affected more than 13 million members. While this may come as a shock to the millions impacted, it shouldn’t come as a surprise to technologists, software developers, and security experts.

Recent reports estimate there were more than 1,800 disclosed data breaches in the first quarter of 2024. Still, that number is likely far higher given the rate at which cybercriminals are upskilling and identifying new ways to access data.

As the number of data breaches continues to rise, it is essential to note that not all are conducted by bad actors. Some can be self-inflicted.

The Data (and Software) Dilemma

Today, software is everywhere for organizations and individuals. It is in phones, televisions, and cars and is leveraged for financial services, logistics, customer service, and other business functions. In fact, on average, organizations use 130 software-as-a-service (SaaS) applications as part of their technology stacks. These SaaS applications provide various benefits for organizations – from cost reduction and resource conservation to automation and timeline acceleration. However, they create vulnerabilities—especially where data is concerned.

As of April 2024, more than 14,000 known application and software vulnerabilities exist, including the potential for data disclosures. These disclosures, possibly unrelated to the actions of malicious cybercriminals, may arise from data sharing and access privileges granted to SaaS providers in exchange for the benefits of using their applications. Zoom was a notable example of this practice in 2023, raising concerns about data access and security with software vendors.

In the case of Kaiser Permanente, the data breach was not a specific attack by malicious actors or hostile nations to sell data to the highest bidder, but instead of their own making. It is more akin to a self-inflicted error in sports, like scoring on your own goal.

At some point, an engineering team at Kaiser Permanente was tasked with creating and managing applications that handle members’ protected health information (PHI). There was likely an expectation that the engineering team would have a complete understanding of the technology stack used across their business, including knowing which SaaS components were integrated within their application. Yet, this scenario did not unfold as expected, leading to SaaS vendors inadvertently gaining access to PHI through their software’s monitoring and analytics functions.

Although this data breach was far from the worst, its aftermath was on par. Kaiser Permanente’s liability, costs, and bad publicity would be no different than if cybercriminals had been responsible for infiltrating its application and confiscating PHI data.

The Healthcare Industry Is a Data Gold Mine

The Kaiser Permanente data breach highlights an alarming and growing trend in healthcare.

There are over 6,000 hospitals and nearly 1,000 health insurance companies in the United States. These organizations use various SaaS applications, such as those for electronic health records (EHR) systems, medical devices, billing, patient scheduling and communication, analytics, and risk management, to provide their patients with the best care and experiences and find operational efficiencies. They also amass extensive amounts of PHI from their patients that flow through these applications.

This PHI data is a treasure trove for cybercriminals and SaaS vendors. For SaaS vendors, data leveraged from healthcare organizations—or any organization—is often used for product development and enhancement. It can also be used to train AI systems. For cybercriminals, stolen data can be sold to individuals looking to steal identities, commit insurance fraud, or drain bank accounts.

In 2023, it was estimated that there were 725 data breaches in healthcare—nearly a 100% increase in just five years. Some of the most significant breaches included NewYork–Presbyterian Hospital in New York City; Perry Johnson & Associates, which impacted Northwell Health and Crouse Health in the State of New York as well as others across the country; NationsBenefits Holdings; and Welltok.

Many of these breaches stemmed from vulnerabilities in third-party software, highlighting the risks they pose to healthcare organizations and patients. It also underscores the liability of data and the need for action among healthcare organizations, which must hold their SaaS vendors to the highest data privacy and security standards.

A Solution to the Data Dilemma Begins with Software Developers

With the growing frequency of data breaches across all sectors, it is imperative that organizations enhance their data privacy and security measures. This must begin with examining what data is collected and understanding why it is collected.

Software developers have an opportunity to play a key role in helping organizations solve this problem. These individuals are the most knowledgeable regarding how an organization’s software and applications function, and how they interact with those from third parties and share data.

What’s more, software developers are keenly aware of how other software providers use data derived from their customers. This means they can help vet potential third-party software vendors before their organization engages with them and share input on how their current SaaS vendors may not be aligned with their high data privacy and security standards.

Armed with this knowledge, software development leaders can have frank discussions with operations teams and organizational leadership on their true data privacy and security posture, and offer recommendations on how they must safeguard their data. One of the most crucial recommendations software development leaders can offer is to collaborate with third-party vendors who prioritize data privacy and security, and who can guarantee their customers that they neither require nor desire access to their data. Such vendors exist in today’s SaaS-driven environment—even though they may be scarce—and can be utilized for various organizational functions.

Software developers have the deep knowledge and expertise to help bring change to their organizations’ data privacy and security practices. They must use it now before this global data dilemma becomes even more challenging.

Shiva Nathan

A seasoned technology executive and entrepreneur, Shiva Nathan draws upon his experience as a software innovator to empower businesses to reach their mobile-first digital goals. He currently serves as the Founder and CEO of Onymos, creator of the world’s first Features-as-a-Service platform. As the former head of Intuit’s Platform & Services organization, his organization defined the cloud-hosted services-based unified technology platform that Intuit’s line of products like TurboTax and Quickbooks leveraged. He has also held technical and leadership positions at Oracle and CA. He understands what it takes to build robust, powerful apps that serve a broad customer base—and how to avoid the roadblocks that can get in the way.


Shiva Nathan

A seasoned technology executive and entrepreneur, Shiva Nathan draws upon his experience as a software innovator to empower businesses to reach their mobile-first digital goals. He currently serves as the Founder and CEO of Onymos, creator of the world’s first Features-as-a-Service platform. As the former head of Intuit’s Platform & Services organization, his organization defined the cloud-hosted services-based unified technology platform that Intuit’s line of products like TurboTax and Quickbooks leveraged. He has also held technical and leadership positions at Oracle and CA. He understands what it takes to build robust, powerful apps that serve a broad customer base—and how to avoid the roadblocks that can get in the way.