Kaiser Permanente Hospital System Hacked with 69,000 Patient Records Breached

Oakland-based Kaiser Permanente suffered a cyber attack earlier this month affecting the test results of 69,589 patients.

The health care firm disclosed the incident on June 3, stating that an “unauthorized party” had gained access to an employee’s email at the Kaiser Foundation Health Plan of Washington.

Those messages contained the protected health information of tens of thousands of Kaiser customers, including patient names, dates of service, medical record numbers, and lab test information.

Kaiser said that financial details, such as social security and credit card numbers, were not compromised.

“We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident,” Kaiser said in its notice.

“We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.”

How was this breach possible?

Kaiser Permanente hasn’t said how the criminal hackers were able to breach the employee’s email account. All that we know is that its disclosure to the HSS (U.S. Department of Health and Human Sciences) listed the incident as a “Hacking/IT incident”.

This is a broad category that encompasses most incidents where an unauthorized person accesses sensitive information (as opposed to, for example, the improper disposal of information or a privacy breach).

Based on the information that Kaiser Permanente revealed, the incident was most likely a phishing attack. The organization wrote in its notice that the hacked employee “received additional training in safe email practices,” which suggests that the individual was duped by a scam email.

The nature of the affected information also suggests that the criminal hacker accessed information that was specific to either that email address or information related to the employee’s access controls.

Did Kaiser respond appropriately?

Kaiser deserves credit for providing the affected employee with additional training following the attack. It’s easy to blame the individual when a data breach occurs, but employees cannot live in fear of committing errors.

Such an approach will only make it less likely for an employee to admit to a mistake. This will make it tougher for the organization to identify and address data breaches.

But for as commendable as that action was, it’s notable that it took Kaiser almost two months to disclose the breach after first discovering it.

It filed its notification just two days before the HSS deadline, which gives organizations 60 days to report security incidents. This is ample time – particularly considering the requirements of other data breach regulations, such as the GDPR (General Data Protection Regulation), which states that organizations must file within 72 hours.

It’s unclear why Kaiser waited until the last moment to fulfil its requirements. Fortunately, it didn’t break any rules, so it won’t come under scrutiny, but it’s worth remembering that the deadlines are not targets. The sooner an incident is disclosed, the better it is for everybody.

How you can avoid the same mistake

Understanding your data breach notification requirements can be tricky – particularly in the U.S. There are some industry-specific federal laws with specific notification deadlines, but the requirements also vary on a state-level.

To create a system that enables you to meet your notification requirements, IT Governance USA recommends implementing ISO 27001, the international standard that describes best practice for information security management.

The Standard presents a comprehensive and logical approach to risk management, and is designed to work alongside other ISO standards. As such, the auditing process will be integrated and smooth, removing the need for multiple assessments.

Furthermore, the external validation demonstrated by accredited registration to ISO 27001 improves an organization’s cybersecurity posture while providing a higher level of confidence in customers and stakeholders. This is essential for securing certain global and government contracts.

IT Governance, a specialist in the field of information security, has created ISO 27001 packaged solutions to give U.S. organizations online access to world-class expertise.

Each fixed-priced solution is a combination of products and services that will enable you to implement ISO 27001 at a speed and budget appropriate to your individual needs.

Leave a Reply