Lost Flash Drive At Core Of Kaiser Permanente Data Breach


Health-care provider Kaiser Permanente has notified nearly 50,000 patients that their personal information was potentially exposed as the result of a privacy breach at its Anaheim Medical Center in California.

In a data breach notification letter filed with the California Attorney General's office, Kaiser Permanente Senior Vice President and Executive Director Julie Miller-Phipps said the health-care firm was informed that a USB flash drive containing the personal data was missing.

The flash drive contained the name, medical record number, date of birth and medication of patients obtaining health care at the company's Anaheim facility. The incident was reported to the firm Sept. 25 and letters to affected patients were sent out one month later.

[Related: Top Health-Care Breaches And The Rising Costs To Organizations]

"We're making every effort to recover it, have investigated the matter and are taking appropriate steps to remedy the situation," Miller-Phipps wrote in the letter to affected patients.

The breach is one in a line of health care-related data losses that solution providers say are becoming increasingly common because of the complexity of most provider systems. Many hospitals, clinics and medical offices struggle to maintain compliance with health-care regulations because of the myriad of partners involved in delivering patient care, said Ben Goodman, President, 4A Security, a New York-based information security risk and compliance consultancy and systems integrator. Goodman said it is difficult to control data with associated partners and other contractors while maintaining compliance with the Health Insurance Portability and Accountability Act (HIPAA).

"There's exponentially more data out there in more places, and the compliance burden is the same for some little guy who is a consultant as it is for a hospital with employees located in different areas around the country," Goodman said. "Many firms don't have any kind of administrative policy enforcement tool in place."

Fines associated with failure to comply with HIPAA have increased significantly in 2013 following the movement of enforcement from the Medicare Operations Division to the Office of Civil Rights under the Department of Health and Human Services. An update to HIPAA under an Omnibus Rule that increased penalties and extended it to all business associates of health-care providers took effect in September. The Omnibus Rule uses a tier-based system to categorize rule violations with fines running from $1,000 to $1.5 million per violation.

Remediating risk and addressing security issues within a health-care environment takes time and constant vigilance, said Greg Williams, a security compliance consultant for MMIC, the largest policy holder-owned medical liability insurer in the Midwest. Most health-care organization security programs are still in their infancy, said Williams, who has been doing a mixture of data security and compliance consulting for about 15 years in the industry.

Williams said the health-care industry is facing complex issues as organizations are required to digitize medical records. "It's overwhelmed with how to address compliance and implement safeguards," Williams told CRN in a recent interview.

While stolen laptops and smartphones are typically associated with criminals out to resell the physical devices, cybercriminals are increasingly targeting health-care organizations to steal sensitive data.

A recent study by Dell SecureWorks uncovered an underground health insurance data market valued in the millions of dollars. Social Security numbers, health insurance credentials and other patient information are bought and sold via brokered online chat rooms and forums, according to the SecureWorks researchers. The data is apparently used to help illegal immigrants, criminals and foreigners obtain specialized medical care in the U.S., the researchers said.

PUBLISHED DEC. 11, 2013