Two security incidents have recently been reported to the Department of Health and Human Services’ Office for Civil Rights by Kaiser Permanente. Combined, more than 5,000 people have been affected by the two breaches.
Those affected were clients of the Kaiser Foundation Group Health Plan. The most potentially dangerous incident, regarding the number of individuals harmed, was an email-related breach threatening 4,389 health plan clients located in the San Bernardino County area of Southern California.
An unauthorized individual was found to have to have obtained access to the email account of a Southern California Permanente medical worker, which contained a small amount of protected health information details.
Kaiser Permanente carried an in depth investigation to determine the nature and full extent of the breach that occurred. While the email account was open to access, Kaiser Permanente feels the danger to plan members is low due to the specific nature of data within the email account.
The email account did not incorporaty highly sensitive information such as bank account information, credit card details, insurance history or Social Security information. The breach was kept to data regarding to plan members’ names, ages, dates of service, medical record details, phone numbers, restricted medical information, and flu shot records.
Those in danger have been informed of the breach through a mail shot and Kaiser Permanente is looking into additional technology that can be put in place to prevent similar breaches from occurring again.
Around one week later, Kaiser Permanente reported another data breach, this time involving the PHI of 638 plan clients. The second breach took place between October 9 and October 13, 2017 and was a mis-mailing incident. Letters that included a restricted amount of protected health information were issued to the wrong plan clients in the West Los Angeles district.
However there were no Social Security numbers, medical record numbers, financial credentials, or other highly sensitive data was accessed. Affected clients have been notified and mailing workflow procedures have been reviewed and refreshed to stop this from happening again.