[ISN] 140 Kaiser patients' private data put online

From: InfoSec News (isn@private)
Date: Mon Mar 14 2005 - 01:42:16 PST


By Barbara Feder Ostrov
Mercury News
March 11, 2005

In a troubling episode involving medical privacy in the digital age,
Kaiser Permanente is notifying 140 patients that a disgruntled former
employee posted confidential information about them on her Weblog.

The woman, who calls herself the ``Diva of Disgruntled,'' claims it
was Kaiser Permanente that included private patient information on
systems diagrams posted on the Web, and that she pointed it out.

The health care giant learned of the breach from the federal Office of
Civil Rights in January, said Kaiser spokesman Matthew Schiffgens.  
Kaiser has been investigating ever since, Schiffgens said, but it
wasn't until Wednesday that it asked the Internet service provider
hosting the blog to remove the information.

Kaiser has not been able to verify the woman's claims that it was
responsible for posting private patient information, said Schiffgens.

``If we had a role in making that available, we have a right to be
criticized for that,'' Schiffgens said. ``Regardless of how it
happened, her initial postings are clearly a breach of her obligation
to protect member confidentiality.''

The woman, who identified herself only as "Elisa," told the Mercury
News Kaiser posted patient information on an unsecured technical Web
site and that she called attention to it before Kaiser took the site
down. She also said that she reposted the information on another site
to make the point that anyone could have gained access to this
information, since it had been widely available on the Web for a year.

She said she also filed a complaint with the federal Office of Civil
Rights about the security breach.

The information includes medical record numbers, patient names and in
some cases information about, but not results of, routine lab tests.  
The former employee apparently reposted the information Thursday, but
it was again removed, Schiffgens said.

Kaiser contacted or left messages with 90 of the 140 members Thursday
to alert them to the security breach, and hopes to reach the remaining
members today. The patients were dispersed throughout Northern
California, Schiffgens said.

``We apologize regarding this unlawful disclosure,'' he said. ``We
take our members' confidential and personal information very

Schiffgens said the woman was a low-level Web designer who worked for
the Kaiser Permanente Medical Group in Oakland. She was terminated in
June 2003, but Schiffgens would not say why or release her name.

Kaiser will take legal action against the woman if warranted,
Schiffgens said. Under federal health privacy rules known as HIPAA,
the woman could face up to $250,000 in fines and 10 years in prison
for unauthorized disclosure of patient information.

Bellua Cyber Security Asia 2005 -

This archive was generated by hypermail 2.1.3 : Mon Mar 14 2005 - 04:48:35 PST