Kaiser Permanente, one of the largest not-for-profit health plans and health care providers in the United States, has announced a data leak that exposed the health records of over 69,000 people. Kaiser Permanente has served approximately 12.5 million people in eight U.S. states and Washington, D.C, since 1945. On April 5, 2022, an attacker accessed an employee’s email account containing patients’ Protected Health Information (PHI), according to the notification posted on the company’s website. “This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorized access incident on April 5, 2022. The specifics of the unauthorized access were provided to individuals affected in a letter sent by Kaiser Permanente on June 3, 2022,” stated the health care provider.
The security breach only affected patients of Kaiser Foundation Health Plan (KFHP) in Washington. As a result, sensitive information was exposed, such as patients’ names, medical records, service times, dates, and laboratory results. According to the company, Social Security Numbers (SSN) and credit card details were not compromised. Within hours, Kaiser Permanente revoked the attacker’s access to the email account and initiated an investigation to determine the incident’s impact. “After discovering the event, we quickly took steps to terminate the unauthorized party’s access to the employee’s emails. This included resetting the employee’s password for the email account where unauthorized activity was detected. The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future,” stated Kaiser Permanente. The health care provider did not find evidence that the PHI saved in the hacked email account was taken or misused after the incident, but this possibility cannot be ruled out completely. While Kaiser Permanente did not specify the exact number of patients affected in its breach report, information filed with the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) indicates that 69,589 people had their PHI exposed as a result of the incident.