Kaiser Permanente Worker Fired After Patient Information Stolen From Car

An employee of Kaiser Permanente has been fired after a storage data device containing health information for about 15,500 patients in Northern California was stolen from the employee's car.

Kaiser Permanente believes that the employee wasn't unlawfully using the information but the device was unauthorized and violated Kaiser Permanente's strict policies regarding data storage, said Kristin Chambers, vice president of compliance and privacy for Kaiser Permanente, Northern California, in a statement.

Kaiser Permanente conducted an investigation of the incident and notified state and federal regulatory agencies, and the theft also was reported to the Sacramento Police Department, she said.  

No patient Social Security numbers or financial information were on the device, "and currently, we have no evidence that the information has been used inappropriately," Chambers said.

The information on the device included the patients' full name and Kaiser Permanente medical record number, and depending on the individual, may have included other information such as their date of birth or age, gender, phone number, and date and other general information related to their treatment, she said.

Kaiser Permanente is the largest nonprofit health maintenance organization in the United States. As an integrated HMO, it includes the Kaiser Foundation Health Plan, Kaiser Foundation Hospitals and the Permanente Medical Groups (BestWire, June 25, 2008).

The incident involved the health plan, a company spokesman said. He didn't provide additional comment beyond the statement.

Kaiser Permanente takes this incident "very seriously, and despite the relatively low risk to individuals posed by the theft of this device, we have notified and apologized in writing to approximately 15,500 patients in the Northern California region who were affected," Chambers said.

Kaiser Permanente has no reason to believe that the device was stolen for the information on it or that the information could easily be used for fraud or other criminal activity, she said.

The organization is committed to protecting the personal health information of its members and patients, "and we are taking appropriate actions, including additional staff education and training, to further guard against such incidents," Chambers said.

Over the past few years, U.S. health insurers have reported that the personal information of their members or providers was accidentally exposed on the Internet or reported the theft of members' personal data.

Most recently, the personal information of about 500,000 members of BlueCross BlueShield of Tennessee is at risk as a result of 57 computer hard drives that were stolen last October from a facility the health insurer leased in Chattanooga that previously housed a call center. A spokeswoman for the Tennessee Blues said after having completed 90% of the data-matching process regarding Social Security numbers, the company verified that 220,000 members had Social Security numbers on the stolen hard drives (BestWire, Jan. 14, 2010).

And this week, Connecticut's attorney general said he's suing Health Net of Connecticut Inc., alleging the company failed to secure the private medical records and financial information of 446,000 members in a recent security breach (BestWire, Jan. 14, 2010).

(By Fran Matso Lysiak, senior associate editor, BestWeek: [email protected])