Sidebar: Kaiser Permanente Fined $200k for Patient Data Breach

The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan Inc., a division of Kaiser Permanente, $200,000 for exposing the confidential health data of about 150 people.

The DMHC said the data had been available on a publicly accessible Web site for as long as four years.

"Patients must be assured that health plans will, at all costs, do everything possible to protect confidential information," Cindy Ehnes, director of the DMHC, said in a statement. "Health plans must make security of confidential information a top priority."

An investigation by the agency found that Kaiser created a systems diagram Web site used as a testing portal by its IT staff. The site contained confidential patient information, including names, addresses, telephone numbers and lab results.

The DMHC said it was concerned that Kaiser allowed the Web site to languish in an accessible format and didn't act to remove it until the site was brought to the attention of federal civil rights officials in January.

In addition, Kaiser authorities didn't inform state regulators until March, the DMHC said. Oakland, Calif.-based Kaiser has since informed all of its affected members about the incident.

"Not only was this a grave security breach, Kaiser did not actively work to protect patients until after [it] had been caught," said Ehnes.

"We have fully cooperated with the department and accept their ruling in this matter," Matthew Schiffgens, director of issues management at Kaiser Foundation Health Plan, said in an e-mail statement. He said that the site has been taken down and that "we are currently conducting a full audit of all Web sites."

Berkeley, Calif., resident Elisa Cooper, a former Web coordinator at Kaiser Permanente, brought the breach to the attention of federal regulators last year and posted a link to the Kaiser Web site on her weblog. Kaiser then sued her for invasion of privacy and breach of contract. That case is still pending.

The DMHC ordered Cooper to stop posting the link, which she did, according to a DMHC spokeswoman. "Her case is now closed," she said.

"I'm relieved that the DMHC has formally confirmed that Kaiser was responsible for posting the systems diagrams Web site," Cooper said in an e-mail.

Kaiser officials, who have been cooperating throughout the investigation, have until June 25 to present any information to dispute the state agency's findings and avoid having to pay the fine, the DMHC said.

Copyright © 2005 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon