SACRAMENTO, Calif. — In a notice to affected patients, Kaiser Permanente alerted members to a data breach that took place in mid-August.
It impacted 990 Sacramento-area patients, Kaiser told ABC10 in an email.
The email account of a Kaiser Permanente health care provider based in Sacramento “became accessible to an unknown and unauthorized individual for approximately 13 hours,” according to a notice on Kaiser Permanente’s website. The email account contained patients’ protected health information, which that health care provider was authorized to have-- but not the individual who had access to the email account during that 13-hour window.
"The exposure was identified by an ongoing IT security process and corrected immediately upon discovery," said Angela Anderson, Kaiser Permanente Northern California Regional Compliance Director, Privacy and Security Officer. "We do not have any evidence that the information was viewed, used or copied."
The breach happened on Aug. 12, and Kaiser learned about it a week later, on Aug. 19. The healthcare group alerted affected members in a letter mailed Sept. 27 and in this notice. ABC10 asked why it took the healthcare group nearly six weeks to send that notice.
"We notified members as soon as we were able, following a thorough review and assessment of the information involved," a spokesperson responded via email. "An investigation into the incident was launched immediately and is ongoing. We cannot provide additional information about the investigation."
RELATED: DEA inspecting opioid prescriptions at Kaiser Permanente’s Roseville Medical Center pharmacy
Patient information in the email account included names and medical record numbers. For some patients, other available information may have included some of the following:
Date(s) of service, age, date of birth, gender, provider name, provider comments, payer name, diagnosis, medical history, benefit information, insurance coverage status, and treatment, procedure and/or service provided.
Social Security numbers and financial information were not among the available information, the notice said.
“Kaiser Permanente is taking steps to prevent this type of error from occurring in the future,” the notice said. “Upon learning of this issue, we changed the password to the provider’s email account and have undertaken additional measures to further strengthen Kaiser Permanente’s email security controls.”
The healthcare group urges impacted members to “carefully review any Explanation of Benefits statements you receive and contact us right away at the number on the back of your Kaiser Permanente Identification card if you spot any suspicious activity.”
People with questions, concerns or complaints can call Kaiser Permanente at 1-800-464-4000 (TTY 711).
“On behalf of Kaiser Permanente, we offer our sincerest apology that this unfortunate incident occurred,” Anderson wrote. “We assure you that safeguarding your information is one of our highest priorities...Upon notification, we launched an extensive investigation, ensured all appropriate security measures had been taken, and are taking steps to prevent a recurrence in the future."
Continue the conversation with Becca on Facebook.