Kaiser Permanente, one of the United States’ largest not-for-profit health plans and providers, has announced a data breach that compromised the health information of over 69,000 people. It was founded in 1945 and served approximately 12.5 million members in eight states and Washington, D.C.
According to a notification posted on the company’s website, an attacker accessed an employee’s email account holding patients’ protected health information (PHI) on April 5, 2022, without authorization.
“This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorized access incident on April 5, 2022,” said the health care provider. “The specifics of the unauthorized access were provided to individuals affected in a letter sent by Kaiser Permanente on June 3, 2022.”
The following sensitive information was exposed as a result of the attack:
- First and last names of patients
- Medical record numbers
- Dates of service
- Laboratory test result data
The organization said that no Social Security numbers or credit card details were compromised due to the breach incident. Only Kaiser Foundation Health Plan of Washington patients was affected by the cyber-attack. Within hours, Kaiser Permanente revoked the attacker’s access to the email account and initiated an investigation into the event to determine its impact.
“After discovering the event, we quickly took steps to terminate the unauthorized party’s access to the employee’s emails,” added Kaiser Permanent. “This included resetting the employee’s password for the email account where unauthorized activity was detected.”
They’ve given the employee further training on safe email habits and are looking into other options to guarantee that events like this don’t happen again. The health care provider found no indication that the PHI saved in the hacked email account was taken or abused after the event, although this possibility could not be ruled out completely.
While Kaiser Permanente did not specify the precise number of patients affected in its breach report, information submitted with the US Department of Health and Human Services Office for Civil Rights indicates that 69,589 people had their PHI exposed as a result of this event.