Kaiser Permanente Reported Two Data Breaches that Impacted 5,000 Plan Members

Data Breach

Kaiser Permanente reported two data breaches to the Department of Health and Human Services’ Office for Civil Rights that affected over 5,000 patients. The two incidents affected members of the Kaiser Foundation Group Health Plan. The more serious incident was an email-related breach. It affected 4,389 health plan members located in the San Bernardino County area of Southern California. The incident report stated that an unauthorized person gained access to a Southern California Permanente physician’s email account. The said account held some protected health information of patients.

Kaiser Permanente investigated the matter to find out how the breach happened and to what extent was the potential damage. Though a physician’s email account was indeed compromised, it is believed that the risk to plan members is low because of the type of information stored in the email content. Information that was potentially exposed included the names of plan members, ages, phone numbers, dates of service, some medical information, medical record and flu shot data. Highly sensitive information like credit card numbers, bank account details, Social Security numbers and insurance information were not included.  

Kaiser Permanente sent notification letters by mail to all affected members regarding the data breach. Also, the covered entity is reviewing additional technology that can help identify and stop the occurrence of similar breaches.

After one week, Kaiser Permanente experienced another breach that affected 638 plan members. This incident happened from October 9 to October 13, 2017. It was due to a mistake in sending postal mail to plan members in the West Los Angeles area. Fortunately, the letters contained only a limited amount of protected health information. Sensitive information such as Social Security numbers, financial data and medical record numbers were not included.  Kaiser Permanente already notified the affected members. The mailing system was also reviewed and updated to keep data breaches of this kind from happening again.