Website Glitch Exposes Personal Information of KP Members
Kaiser Permanente is alerting certain members to the potential disclosure of a limited amount of their personal information to other KP members after a glitch was discovered in the company’s online ‘Estimates’ tool.
On November 16, 2016, Kaiser Permanente updated the Estimates tool on the kp.org website; however, an error occurred during the update that potentially resulted in members’ name, address, age, copay information, deductible payments from 2016, and out of pocket expenses from 2016 being displayed to another user of the tool.
Individuals potentially affected by the error visited the website and used the tool from the date that the update was applied until November 28, 2016 when the error was discovered and corrected.
Kaiser Permanente has informed affected patients that there was only a small chance that their information was viewed by another person. At no point were Social Security numbers, claims information, or banking details exposed.
The error did not result in the mass disclosure of PHI to other members. In each case, an individual who used the tool may have had their data displayed to the next person who used the tool.
Kaiser Permanente conducts extensive testing of its online systems following any upgrade. Members have now been notified of the incident by mail and told “there is always the rare chance that an error can go undetected until an update is live.”
However, this will be bad news for Kaiser Permanente as it is the second website error to be discovered in just a few weeks. Certain members were impacted by a website error caused during a kp.org site upgrade in October. In that instance, the upgrade was made to improve webpage speed and the error was identified and corrected within 24 hours.
Members affected by the latest breach have been urged to review their Explanation of Benefits statements and to report any irregularities, although due to the type information exposed and the speed of detection and correction of the error, Kaiser Permanente says the privacy risk is ‘limited’.