Elaine Jean Tech 06.14.2022 01:Jun AM EDT

Kaiser Permanente Hack: Health Data of 69,000 People Exposed — How Did It Happen

Kaiser Permanente suffered a massive online data breach.

A data breach recently announced by Kaiser Permanente, one of the major not-for-profit health plans and health care providers in the United States, exposed the medical records of more than 69,000 individuals.

Kaiser Permanente Data Breach

Kaiser Permanente alerted 69,589 individuals about their most recent data breach at the Kaiser Foundation Health Plan of Washington.

On April 5, 2022, an unauthorized individual gained access to the email account of an employee at the company, which contained protected health information (PHI) of patients who are all confirmed to be their customers. The company disclosed this information in a notification that was posted on its website.

According to BleepingComputer, the company stated, "This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorized access incident on April 5, 2022."

In a letter dated June 3, 2022, Kaiser Permanente informed those whose information had been improperly accessed by malicious threat actors. The following sensitive information was exposed as a result of the attack:

The initials and full names of the patients
Numbers assigned to medical records
Times and dates of services
Information regarding the results of laboratory tests

The company has stated that there was no exposure of sensitive information such as Social Security numbers or credit card data during this breach.

As reported by Health IT Security, the hack, within hours, Kaiser Permanente cut off access to the information and then started an investigation. Even while there was no evidence to suggest that an unauthorized party accessed the PHI that was contained in the emails, the organization was unable to completely discount the possibility.

With more than 12 million customers, Kaiser Permanente is one of the largest healthcare providers in the United States that operates on a not-for-profit basis. It has about 300,000 employees, including more than 80,000 medical professionals and nurses, and operates 39 hospitals and more than 700 medical offices.

Kaiser Permanente is a nonprofit organization that was established in 1945 and currently serves over 12.5 million patients across eight states in the United States as well as in Washington, D.C.

Kaiser Permanente's Mitigation

Kaiser Permanente, as stated, assured its customers that the company took hold of the breach within a matter of hours. The company stated that the employee whose login was maliciously hacked received extra training on safe email practices, and we are currently evaluating other steps we can take to ensure that events like this do not happen in the future.

In addition, as a response to the incident, Kaiser stated that it immediately reset the password for the employee's email account where the unauthorized activity was discovered.

Kaiser Permanente cut off the attacker's access to the email account and commenced an investigation into the event to determine the extent of its influence.

Although Kaiser Permanente did not disclose the exact number of patients affected by the breach notice, information that was filed with the Office for Civil Rights of the United States Department of Health and Human Services shows that this incident led to 69,589 individuals having their PHI exposed.

In spite of the fact that there is no evidence that protected health information has been misused or stolen as a result of the security breach, Kaiser Permanente has cautioned those whose information was compromised to remain vigilant against the possibility of fraud.