Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington.

Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours.

An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and last names, medical record numbers, dates of service, and laboratory test result information. No financial information or Social Security numbers were exposed.

No evidence was found that suggests any plan member information was accessed or removed from its systems, although unauthorized PHI access and data theft could not be ruled out. To date, no reports have been received about any actual or attempted misuse of individuals’ ePHI.

Notifications were sent to affected individuals on June 3, 2022, who have been advised to be vigilant for potential fraud. Kaiser Permanente said the employee whose credentials were compromised has been provided with additional training on safe email practices, and it is exploring other steps that can be taken ensure incidents like this do not happen in the future.

The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 69,589 individuals.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.