HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Kaiser Permanente Reports Two Security Incidents Impacting 5,000 Members

Kaiser Permanente has experienced two security incidents which have recently been reported to the Department of Health and Human Services’ Office for Civil Rights. In total, more than 5,000 individuals have been impacted by the breaches.

Both breaches affect members of the Kaiser Foundation Group Health Plan. The most serious incident, in terms of the number of individuals impacted, was an email-related breach affecting 4,389 health plan members in the San Bernardino County area of Southern California.

An unauthorized individual was discovered to have gained access to the email account of a Southern California Permanente physician, which contained a limited amount of protected health information.

Kaiser Permanente conducted an extensive investigation to determine the nature and full extent of the breach. While the email account was accessed, Kaiser Permanente believes the risk to plan members is low due to the nature of data contained in the email account.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The email account did not contain highly sensitive information such as bank account details, credit card numbers, insurance information, or Social Security numbers. The breach was limited to plan members’ names, ages, dates of service, medical record numbers, phone numbers, limited medical information, and flu shot data.

Affected members have been informed of the breach by mail and Kaiser Permanente is exploring additional technology that can be implemented to prevent similar breaches from occurring in the future.

One week later, Kaiser Permanente reported a second breach, this time involving the PHI of 638 plan members. The second breach occurred between October 9 and October 13, 2017 and was a mis-mailing incident. Letters containing a limited amount of protected health information were sent to incorrect plan members in the West Los Angeles area.

No Social Security numbers, medical record numbers, financial information, or other highly sensitive information was involved. Affected members have been notified and mailing workflow processes have been reviewed and updated to prevent a recurrence.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.