Share this article on:
Kaiser Permanente is notifying some of its members of a website configuration error that resulted in the exposure of some of their protected health information. Fortunately, the error was rapidly identified and ePHI was only exposed for around two hours.
An upgrade to the Kp.org website was performed on October 12, 2016 to improve webpage loading speed; however, a misconfiguration resulted in some members ePHI being exposed to other members and site visitors. Individuals affected by the incident had logged into the kp.org website between 11.26 p.m. (PT) on October 12 and 01:46 a.m. (PT) October 13.
The extent of ePHI exposed depends on the webpages members visited after logging in, although the exposed information was limited in nature and did not include any highly sensitive data such as Social Security numbers or financial information.
While data could have been viewed by other members and site visitors, the number of individuals who could potentially have viewed other individuals’ ePHI was limited due to the timing of the website update and the rapid identification of the error.
However, since it is possible that ePHI could have been accessed and used for nefarious purposes, Kaiser Permanente has advised affected members to check their Explanation of Benefits statements carefully for any sign of fraudulent activity. Affected members have also been advised to obtain credit reports and place a fraud alert with one of the national credit agencies, although the risk of fraud is believed to be minimal.
Kaiser Permanente has now conducted a review of its website update processes and procedures. Future website updates will be subjected to further tests to prevent any future breaches of this nature.
The incident has now been reported to the California attorney general’s office and the Department of Health and Human Services Office for Civil Rights. The OCR breach report indicates 8,020 individuals have been impacted by the incident.