On April 29th, healthcare giant Kaiser Permanente disclosed a data leak impacting 13.4 million current and former insurance members. The incident was rooted in improperly managed 3rd party scripts.
The Incident
Kaiser Permanente used tracking codes to monitor how its members navigated through its website and mobile applications. Some of these pages contained sensitive healthcare data, leading to the 3rd party scripts inadvertently transmitted information to third-party vendors they weren’t supposed to have.
While the breach wasn't a result of a script hijack, it highlights a significant oversight in handling third-party scripts within the healthcare industry and beyond.
The incident also highlights a broader issue: engineering teams are often asked, ad-hoc, to implement 3rd party scripts chosen by marketing, data or legal teams. This can lead to engineers implementing the script, lacking context and deploying scripts site-wide. It works, but it now touches data it shouldn’t.
Proper tooling likely wasn’t in place to spot or prevent this issue.
The Risks
The core issue at hand was not malicious intent but rather a lack of understanding and proper disclosure of the tracking code being used. The shared data included names, IP addresses, visited pages, user login status, and search terms used in Kaiser’s online health encyclopedia. Although such tracking scripts are very common, in the healthcare industry, they must comply with privacy regulations like the Health Insurance Portability and Accountability Act (HIPAA) and others.
The Risks of Inadequate Disclosure
Healthcare providers handle sensitive information, and any data leak can have serious repercussions. Even though the data shared by Kaiser might not be classified as electronically protected health information (ePHI), the breach could still result in penalties and most certainly damage to the company's reputation. The incident indicates many companies with strong safety and compliance teams, still suffer from mismanaging third-party scripts. An issue we see all too often.
A Practical Solution
To address such issues, companies can implement robust Content Security Policies (CSPs) to manage third-party scripts on sensitive pages. While this solution causes some downsides like noisy console logs, it effectively mitigates the risk of unauthorized data sharing.
Ideally, instead of deploying scripts globally, one would use conditional rendering. Defining the pages scripts should load on.
Using c/side, you can also manage your third-party scripts in a cleaner way. Allowing you to see which scripts run on specific pages, as well as protect your user from any malicious code getting rendered.
c/side
c/side can flag any sightings of scripts on pages that contain sensitive information. Allowing fine-grained, autogenerated rules to prevent delivery without noisy console logs on pages that contain sensitive data.
To address third-party script security, our solution analyzes scripts before they reach the user's browser. By proxying scripts and using AI to detect malicious intent, c/side ensures that potential threats are neutralized before they can cause harm. This proactive approach, combined with historical context analysis, allows for effective monitoring and response to third-party script breaches.
We naturally also monitor all scripts, meaning with us in place, this issue could’ve been prevented.