HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Kaiser Permanente Notifies Members of ePHI Exposure

Kaiser Permanente is notifying some of its members of a website configuration error that resulted in the exposure of some of their protected health information. Fortunately, the error was rapidly identified and ePHI was only exposed for around two hours.

An upgrade to the Kp.org website was performed on October 12, 2016 to improve webpage loading speed; however, a misconfiguration resulted in some members ePHI being exposed to other members and site visitors. Individuals affected by the incident had logged into the kp.org website between 11.26 p.m. (PT) on October 12 and 01:46 a.m. (PT) October 13.

The extent of ePHI exposed depends on the webpages members visited after logging in, although the exposed information was limited in nature and did not include any highly sensitive data such as Social Security numbers or financial information.

While data could have been viewed by other members and site visitors, the number of individuals who could potentially have viewed other individuals’ ePHI was limited due to the timing of the website update and the rapid identification of the error.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

However, since it is possible that ePHI could have been accessed and used for nefarious purposes, Kaiser Permanente has advised affected members to check their Explanation of Benefits statements carefully for any sign of fraudulent activity. Affected members have also been advised to obtain credit reports and place a fraud alert with one of the national credit agencies, although the risk of fraud is believed to be minimal.

Kaiser Permanente has now conducted a review of its website update processes and procedures. Future website updates will be subjected to further tests to prevent any future breaches of this nature.

The incident has now been reported to the California attorney general’s office and the Department of Health and Human Services Office for Civil Rights. The OCR breach report indicates 8,020 individuals have been impacted by the incident.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.