Kaiser Permanente is alerting patients that it experienced a “human error” data breach on May 16 when an employee mistakenly emailed a spreadsheet associated with a Wellness Screening competition to a pilot planning team member who was not part of the Kaiser organization.
The recipient was supposed to just receive a summary of the competition but the spreadsheet was inadvertently attached as well and Kaiser learned of the breach in late July. The screening data included on the spreadsheet were first and last names, Kaiser Permanente medical record numbers, phone numbers, email addresses, employer names, department names and the appointment dates and times for the health screenings. Kaiser said that it’s investigating the matter and the recipient never saw the information in a September 10 breach notification letter to patients:
Please be assured that no information was shared regarding the screening results. Your personal information was unknowingly included and not ever viewed by the recipient. The error was discovered by Kaiser Permanente in late July 2013, and we immediately launched an investigation into what happened and worked with the recipient and the recipient’s employer to delete the electronic file from their systems. The recipient has been very cooperative and has given Kaiser Permanente every assurance, including a legal attestation, that the information was not viewed and has been deleted.
It is unknown how many patients were involved and whether Kaiser uses email encryption. Information from PHIPrivacy.net was used in this report.