Hacked emails from a Kaiser Permanente employee led to breach of 70,000 patient records

Kaiser Permanente, the largest nonprofit health plan provider in the United States, disclosed a data breach that exposed the sensitive health information of nearly 70,000 patients. In a June 3 notice to patients, Kaiser disclosed that someone gained access to an employee’s emails at the Kaiser Foundation Health Plan of Washington on April 5 that contained protected health information, including the names of patients, dates of service, medical record numbers, and laboratory data. test result information. Sensitive financial information, including social security and credit card numbers, was not exposed by the leak, according to the health care provider. Although the company did not disclose the scale of the breach, a separate filing with the US Department of Health and Human Services confirmed that 69,589 people were affected. “We terminated the unauthorized access within hours of it beginning and immediately began an investigation to determine the scope of the incident,” Kaiser said in its notification to patients. “We have determined that the emails contained protected health information, and while we have no indication that the information was accessed by the unauthorized party, we cannot completely rule out the possibility.” TechCrunch asked Kaiser how an unauthorized third party was able to gain access to employee emails, but the company did not comment at press time. However, it said in its notice that the hacked employee “received additional training in secure email practices,” suggesting the breach may have been the result of credential stuffing or phishing. Kaiser added that it is “exploring other steps we can take to ensure incidents like this don’t happen in the future,” but the company did not say what these steps were. It’s also unclear why it took almost two months for Kaiser to notify affected patients of the breach. Kaiser Permanente is the latest in a long line of health care providers to be attacked by hackers. Health insurance giant Anthem disclosed the theft of 78.8 million records in 2015. More recently, myNurse, a healthcare startup that provides remote patient monitoring and chronic care management services, suffered a data breach in March in which a malicious third party accessed protected health data. , including patient demographic, health, and financial information. On May 2, the startup announced that it would be shutting down.