25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Kaiser Permanente Notifies Members of ePHI Exposure

Posted By on Nov 8, 2016

Kaiser Permanente is notifying some of its members of a website configuration error that resulted in the exposure of some of their protected health information. Fortunately, the error was rapidly identified and ePHI was only exposed for around two hours.

An upgrade to the Kp.org website was performed on October 12, 2016 to improve webpage loading speed; however, a misconfiguration resulted in some members ePHI being exposed to other members and site visitors. Individuals affected by the incident had logged into the kp.org website between 11.26 p.m. (PT) on October 12 and 01:46 a.m. (PT) October 13.

The extent of ePHI exposed depends on the webpages members visited after logging in, although the exposed information was limited in nature and did not include any highly sensitive data such as Social Security numbers or financial information.

While data could have been viewed by other members and site visitors, the number of individuals who could potentially have viewed other individuals’ ePHI was limited due to the timing of the website update and the rapid identification of the error.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

However, since it is possible that ePHI could have been accessed and used for nefarious purposes, Kaiser Permanente has advised affected members to check their Explanation of Benefits statements carefully for any sign of fraudulent activity. Affected members have also been advised to obtain credit reports and place a fraud alert with one of the national credit agencies, although the risk of fraud is believed to be minimal.

Kaiser Permanente has now conducted a review of its website update processes and procedures. Future website updates will be subjected to further tests to prevent any future breaches of this nature.

The incident has now been reported to the California attorney general’s office and the Department of Health and Human Services Office for Civil Rights. The OCR breach report indicates 8,020 individuals have been impacted by the incident.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist