Kaiser Permanente Reported Two Data Breaches that Impacted 5,000 Plan Members

Data Breach

Kaiser Permanente reported two data breaches to the Department of Health and Human Services’ Office for Civil Rights that affected over 5,000 patients. The two incidents affected members of the Kaiser Foundation Group Health Plan. The more serious incident was an email-related breach. It affected 4,389 health plan members located in the San Bernardino County area of Southern California. The incident report stated that an unauthorized person gained access to a Southern California Permanente physician’s email account. The said account held some protected health information of patients.

Kaiser Permanente investigated the matter to find out how the breach happened and to what extent was the potential damage. Though a physician’s email account was indeed compromised, it is believed that the risk to plan members is low because of the type of information stored in the email content. Information that was potentially exposed included the names of plan members, ages, phone numbers, dates of service, some medical information, medical record and flu shot data. Highly sensitive information like credit card numbers, bank account details, Social Security numbers and insurance information were not included.  

Kaiser Permanente sent notification letters by mail to all affected members regarding the data breach. Also, the covered entity is reviewing additional technology that can help identify and stop the occurrence of similar breaches.

After one week, Kaiser Permanente experienced another breach that affected 638 plan members. This incident happened from October 9 to October 13, 2017. It was due to a mistake in sending postal mail to plan members in the West Los Angeles area. Fortunately, the letters contained only a limited amount of protected health information. Sensitive information such as Social Security numbers, financial data and medical record numbers were not included.  Kaiser Permanente already notified the affected members. The mailing system was also reviewed and updated to keep data breaches of this kind from happening again.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/