Kaiser Permanente division fined $200k for patient data breach
The information was posted on a publicly accessible Web site
Computerworld - The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people.
The DMHC said the information had been available on a publicly accessible Web site for as long as four years.
"Patients must be assured that health plans will, at all costs, do everything possible to protect confidential information," Cindy Ehnes, director of the DMHC, said in a statement. "As we work on broadening the use of electronic medical records to improve patient care on both the state and federal levels, health plans must make security of confidential information a top priority."
An investigation by the agency found that Kaiser was responsible for the creation of a systems diagram Web site used as a testing portal by its IT staff. The site contained confidential patient information, including names, addresses, telephone numbers and lab results. According to the DMHC, Kaiser set up the site in 1999 without the prior consent of the affected patients.
DMHC said it was concerned that Kaiser allowed the Web site to languish on the Web in an accessible format and did not act to remove it until its existence was brought to the attention of federal civil rights authorities in January (see Update: Kaiser Permanente patient data exposed online).
In addition, Kaiser authorities chose not to inform state regulators until after the site had been reported to the media in March, the DMHC said. Kaiser has since informed all of its affected members about the incident.
"Not only was this a grave security breach, Kaiser did not actively work to protect patients until after [it] had been caught," said Ehnes. "We're imposing this fine because we consider this act to be irresponsible and negligent at the expense of members' privacy and piece of mind."
"We have fully cooperated with the Department and accept their ruling in this matter," Matthew Schiffgens, director of Issues Management at Kaiser Foundation Health Plan Inc., said in a e-mail statement. "We wish to assure our members that we take guarding their privacy seriously and have taken a number of steps to address this incident: The site in question has been taken down; KP policy is that all sites containing PHI be behind the firewall or password protected; and we are currently conducting a full audit of all Web sites."
Under California state law, a health plan can be fined if it has violated the confidentiality of medical information without first obtaining an authorization from the patient.
Berkeley, Calif., resident Elisa Cooper,
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts