[ISN] Kaiser Permanente division fined $200k for patient data breach

From: InfoSec News (isn@private)
Date: Tue Jun 21 2005 - 23:45:37 PDT


http://www.computerworld.com/securitytopics/security/story/0,10801,102665,00.html

By Linda Rosencrance 
JUNE 21, 2005 
COMPUTERWORLD

The California Department of Managed Health Care (DMHC) has fined 
Kaiser Foundation Health Plan, a division of Kaiser Permanente, 
$200,000 for exposing the confidential health information of about 150 
people.
 
The DMHC said the information had been available on a publicly 
accessible Web site for as long as four years. 

A Kaiser spokeswoman referred questions about the incident to another 
Kaiser official, who did not respond to a request for comment. 

"Patients must be assured that health plans will, at all costs, do 
everything possible to protect confidential information," Cindy Ehnes, 
director of the DMHC, said in a statement. "As we work on broadening 
the use of electronic medical records to improve patient care on both 
the state and federal levels, health plans must make security of 
confidential information a top priority." 

An investigation by the agency found that Kaiser was responsible for 
the creation of a systems diagram Web site used as a testing portal by 
its IT staff. The site contained confidential patient information, 
including names, addresses, telephone numbers and lab results. 
According to the DMHC, Kaiser set up the site in 1999 without the 
prior consent of the affected patients. 

DMHC said it was concerned that Kaiser allowed the Web site to 
languish on the Web in an accessible format and did not act to remove 
it until its existence was brought to the attention of federal civil 
rights authorities in January (see Update: Kaiser Permanente patient 
data exposed online) [1]. 

In addition, Kaiser authorities chose not to inform state regulators 
until after the site had been reported to the media in March, the DMHC 
said. Kaiser has since informed all of its affected members about the 
incident. 

"Not only was this a grave security breach, Kaiser did not actively 
work to protect patients until after [it] had been caught," said 
Ehnes. "We're imposing this fine because we consider this act to be 
irresponsible and negligent at the expense of members' privacy and 
piece of mind." 

Under California state law, a health plan can be fined if it has 
violated the confidentiality of medical information without first 
obtaining an authorization from the patient. 

Berkeley, Calif., resident Elisa Cooper, a former Web coordinator at 
Kaiser Permanente, brought the breach to the attention of federal 
regulators and posted a link to the Kaiser Web site on her Web log 
last year. Kaiser then sued her for invasion of privacy and breach of 
contract. That case is still pending in Alameda County Superior Court 
(see Court orders blogger to stop posting Kaiser patient data) [2]. 

In addition, the DMHC ordered Cooper to stop posting the link to the 
information, which she did, said DMHC spokeswoman Lynne Randolph. "Her 
case is now closed." 

"I'm relieved that the DMHC has formally confirmed that Kaiser was 
responsible for posting the systems diagrams Web site. For three 
months I've been fending off Kaiser's attempts to pin that site on me, 
and I'm still being sued by Kaiser," Cooper said in an e-mail to 
Computerworld. 

Cooper said she fears Kaiser could drag her back and forth to court 
for years because she doesn't know how the legal system works and 
can't afford to hire a lawyer. 

"The DMHC determined the systems diagrams site had been publicly 
accessible since 1999, and it would still be there today if I hadn't 
pointed it out," she said. "I just hope the next whistleblower isn't 
afraid to file a complaint or talk about a problem they've discovered 
because of what happened to me. The DMHC still has not apologized for 
giving the public the impression I was the one who posted the Web 
site." 

Kaiser officials, who have been cooperating throughout the 
investigation, have until June 25 to present any information to 
dispute the state agency's findings, or the fine will be imposed, the 
DMHC said. 

[1] http://www.computerworld.com/industrytopics/healthcare/story/0,10801,100420,00.html
[2] http://www.computerworld.com/industrytopics/healthcare/story/0,10801,100615,00.html



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Wed Jun 22 2005 - 00:14:38 PDT