The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Kaiser Permanente Reports Email System Breach and Exposure of 70,000 Individuals’ PHI

Posted By on Jun 14, 2022

Kaiser Permanente, one of the largest nonprofit health plan and healthcare providers in the United States, has reported a breach of its email system. Kaiser Permanente provides healthcare services to more than 12.5 million patients in 8 states and D.C. but said this breach only affected around 70,000 members of the Kaiser Foundation Health Plan of Washington.

Kaiser Permanente said it was alerted to a security incident involving its email system on April 5, 2022. The email account of an employee was confirmed as being accessed by an unauthorized party, and immediate action was taken to secure the account to prevent further unauthorized access. Kaiser Permanente said the account shut down and was secured within hours.

An investigation was launched to determine the nature and scope of the security breach and it was confirmed that the incident was limited to a single account; however, that account contained emails and attachments that included the protected health information of certain health plan members. The types of information exposed in the breach included patients’ first and last names, medical record numbers, dates of service, and laboratory test result information. No financial information or Social Security numbers were exposed.

No evidence was found that suggests any plan member information was accessed or removed from its systems, although unauthorized PHI access and data theft could not be ruled out. To date, no reports have been received about any actual or attempted misuse of individuals’ ePHI.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Notifications were sent to affected individuals on June 3, 2022, who have been advised to be vigilant for potential fraud. Kaiser Permanente said the employee whose credentials were compromised has been provided with additional training on safe email practices, and it is exploring other steps that can be taken ensure incidents like this do not happen in the future.

The breach is listed on the HHS’ Office for Civil Rights breach portal as affecting 69,589 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist