The healthcare and personal information of up to 70,000 Kaiser Permanente patients in Washington state may have been exposed following unauthorized access to the US healthcare giant’s email system.
The data breach incident, which took place in early April, potentially exposed patients’ first and last name, medical record number, dates of service, and laboratory test result information of the health plan provider.
Financially sensitive information (Social Security number and credit card numbers) were not exposed by the breach, according to the healthcare provider.
In a breach notice (PDF) issued earlier this month, Kaiser sought to reassure potentially affected members by stating that the security incident was promptly contained.
The organization said:
On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident.
We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.
Although there’s no evidence of identity theft or misuse of protected health information as a result of the security breach, Kaiser Permanente has nonetheless advised affected parties to be on the lookout for potential fraud.
Although not specified in Kaiser’s breach notice, regulators from the US Department of Health and Human Services Office for Civil Rights reports that 69,589 records were potentially exposed as a result of the email security slip-up at Kaiser’s Washington unit.
In response to the incident, Kaiser said it promptly reset the employee’s password for the email account where unauthorized activity was detected.
“The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future,” Kaiser Permanente concluded.
The Daily Swig asked Kaiser to confirm that only one of its email accounts was affected by the breach and invited it to explain the root cause of the incident.
We also asked the healthcare provider to shed light on why it had decided against offering a year’s credit monitoring services at no charge to those impacted by the incident – a standard but by no means universal courtesy to victims of data breach incidents.
Source: https://portswigger.net/daily-swig/kaiser-permanente-data-breach-exposed-healthcare-records-of-70-000-patients