Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Kaiser Permanente division fined $200k for patient data breach

The information was posted on a publicly accessible Web site
Linda Rosencrance   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

June 21, 2005 (Computerworld) -- The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people.
The DMHC said the information had been available on a publicly accessible Web site for as long as four years.
"Patients must be assured that health plans will, at all costs, do everything possible to protect confidential information," Cindy Ehnes, director of the DMHC, said in a statement. "As we work on broadening the use of electronic medical records to improve patient care on both the state and federal levels, health plans must make security of confidential information a top priority."
An investigation by the agency found that Kaiser was responsible for the creation of a systems diagram Web site used as a testing portal by its IT staff. The site contained confidential patient information, including names, addresses, telephone numbers and lab results. According to the DMHC, Kaiser set up the site in 1999 without the prior consent of the affected patients.
DMHC said it was concerned that Kaiser allowed the Web site to languish on the Web in an accessible format and did not act to remove it until its existence was brought to the attention of federal civil rights authorities in January (see Update: Kaiser Permanente patient data exposed online).
In addition, Kaiser authorities chose not to inform state regulators until after the site had been reported to the media in March, the DMHC said. Kaiser has since informed all of its affected members about the incident.
"Not only was this a grave security breach, Kaiser did not actively work to protect patients until after [it] had been caught," said Ehnes. "We're imposing this fine because we consider this act to be irresponsible and negligent at the expense of members' privacy and piece of mind."
"We have fully cooperated with the Department and accept their ruling in this matter," Matthew Schiffgens, director of Issues Management at Kaiser Foundation Health Plan Inc., said in a e-mail statement. "We wish to assure our members that we take guarding their privacy seriously and have taken a number of steps to address this incident: The site in question has been taken down; KP policy is that all sites containing PHI be behind the firewall or password protected; and we are currently conducting a full audit of all Web sites."
Under California state law, a health plan can be fined if it has violated the confidentiality of medical information without first obtaining an authorization from the patient.
Berkeley, Calif., resident Elisa Cooper, a former Web coordinator at Kaiser Permanente, brought the breach to the attention of federal regulators and posted a link to the Kaiser Web site on her Web log last year. Kaiser then sued her for invasion of privacy and breach of contract. That case is still pending in Alameda County Superior Court (see Court orders blogger to stop posting Kaiser patient data).
In addition, the DMHC ordered Cooper to stop posting the link to the information, which she did, said DMHC spokeswoman Lynne Randolph. "Her case is now closed."
"I'm relieved that the DMHC has formally confirmed that Kaiser was responsible for posting the systems diagrams Web site. For three months I've been fending off Kaiser's attempts to pin that site on me, and I'm still being sued by Kaiser," Cooper said in an e-mail to Computerworld.
Cooper said she fears Kaiser could drag her back and forth to court for years because she doesn't know how the legal system works and can't afford to hire a lawyer.
"The DMHC determined the systems diagrams site had been publicly accessible since 1999, and it would still be there today if I hadn't pointed it out," she said. "I just hope the next whistleblower isn't afraid to file a complaint or talk about a problem they've discovered because of what happened to me. The DMHC still has not apologized for giving the public the impression I was the one who posted the Web site."
Kaiser officials, who have been cooperating throughout the investigation, have until June 25 to present any information to dispute the state agency's findings, or the fine will be imposed, the DMHC said.




Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"It's IT Blogwatch: in which Grisoft, maker of the AVG anti-virus package, backs down in its attempt to DDoS the..." Read more...
Read more Security posts or See all Blogs

Google gives away home-cooked Web application security scanner
HP eyes move of support facilities out of Colorado Springs
Microsoft trumpets security additions in upcoming IE8
More top stories...
How much is too much? Upgrade your notebook without going over the line
French ruling on counterfeit goods could have far-reaching effects for eBay
Apple cuts price of high-end SSD MacBook Air by $500

This old laptop: Revitalizing an aging notebook on the cheap
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Bill Gates moves on
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
Five things you should never tell your boss
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
Hands-On: Firefox 3 fixes what's broke and keeps what's right
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Deploying Virtualized NetWare on Linux Whitepaper
Toward More Flexible, Next-Generation Collaboration Solutions
Driving Business Success Through Workgroup Choice and Flexibility
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.