The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members

Posted By on Jan 4, 2018

Kaiser Permanente has experienced two security incidents which have recently been reported to the Department of Health and Human Services’ Office for Civil Rights. In total, more than 5,000 individuals have been impacted by the breaches.

Both breaches affect members of the Kaiser Foundation Group Health Plan. The most serious incident, in terms of the number of individuals impacted, was an email-related breach affecting 4,389 health plan members in the San Bernardino County area of Southern California.

An unauthorized individual was discovered to have gained access to the email account of a Southern California Permanente physician, which contained a limited amount of protected health information.

Kaiser Permanente conducted an extensive investigation to determine the nature and full extent of the breach. While the email account was accessed, Kaiser Permanente believes the risk to plan members is low due to the nature of data contained in the email account.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The email account did not contain highly sensitive information such as bank account details, credit card numbers, insurance information, or Social Security numbers. The breach was limited to plan members’ names, ages, dates of service, medical record numbers, phone numbers, limited medical information, and flu shot data.

Affected members have been informed of the breach by mail and Kaiser Permanente is exploring additional technology that can be implemented to prevent similar breaches from occurring in the future.

One week later, Kaiser Permanente reported a second breach, this time involving the PHI of 638 plan members. The second breach occurred between October 9 and October 13, 2017 and was a mis-mailing incident. Letters containing a limited amount of protected health information were sent to incorrect plan members in the West Los Angeles area.

No Social Security numbers, medical record numbers, financial information, or other highly sensitive information was involved. Affected members have been notified and mailing workflow processes have been reviewed and updated to prevent a recurrence.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist