Kaiser Permanente Discloses Data Breach at WA Health Plan, 69K Impacted

June 13, 2022 - Kaiser Permanente notified 69,589 individuals of a data breach that occurred at the Kaiser Foundation Health Plan of Washington. According to a notice on its website, Kaiser Permanente discovered on April 5 that an unauthorized party had gained access to an employee’s emails.

Kaiser Permanente terminated the access “within hours” and began investigating. Although there was no indication that the unauthorized party accessed the protected health information (PHI) contained in the emails, the organization could not rule out the possibility.

The emails contained names, dates of service, medical record numbers, and laboratory test result information.

“After discovering the event, we quickly took steps to terminate the unauthorized party’s access to the employee’s emails,” the notice emphasized.

“This included resetting the employee’s password for the email account where unauthorized activity was detected. The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future.”

Kaiser Permanente began notifying impacted patients by mail on June 3.

Virginia Mason Medical Center Faces Second Breach Since December

Virginia Mason Medical Center (VMMC) faced its second data breach since December 2021, according to a notice on its website. In the latest incident, an external third party “intruded” three servers between January 16 and January 20, 2022.

There was no evidence of data exfiltration, but the servers potentially contained PHI, including names, phone numbers, Social Security numbers, health insurance numbers, email addresses, COVID-19 screening and surveillance, and presence on a COVID-19 vaccine waiting list. The incident impacted 1,523 individuals.

“VMMC conducted a comprehensive investigation of the incident. The FBI was notified as well. Upon discovery, the involved servers were quickly removed from the network. The involved servers were isolated for investigation and subsequently will no longer be used,” VMMC’s notice stated.

“New servers containing updated security and software were put in place. The forensic vendor, and other partners, reviewed each file that the unauthorized party may have accessed to determine what, if any, personal or protected health information was present.”

In March 2022, VMMC also notified patients of a separate data breach that impacted just under 3,000 individuals. An unauthorized party accessed some VMMC staff email accounts between December 21, 2021, and January 3, 2022, via a phishing attack. VMMC said it implemented blocks to the phishing domain and provided further employee education.

“VMMC regrets this event and any concern it may cause,” both notices stated.

“We strive to always maintain the privacy and security of our patients’ and employees’ protected information.”

Seattle-based Healthcare AI and Technology Solutions Company Discloses Data Breach

MCG Health, a Seattle-based software company that provides patient care guidelines to providers and health plans using artificial intelligence and technology solutions, notified an undisclosed number of individuals about a recent data breach.

MCG is part of the Hearst Health Network and combines “clinical guidelines, created from an unbiased review of the most current literature and data, with innovative software solutions and robust analytics,” the company’s website states.

On March 25, MCG determined that “an unauthorized party previously obtained personal information about some patients and members of certain MCG customers.” It is unclear when the incident took place.

The impacted data included names, addresses, phone numbers, gender, dates of birth, medical codes, and Social Security numbers. MCG began notifying impacted individuals of the incident on June 10.

“Upon learning of this issue, MCG took steps to understand its nature and scope. A leading forensic investigation firm was retained to assist in the investigation,” the notice continued.

“Additionally, MCG is coordinating with law enforcement authorities. MCG has deployed additional monitoring tools and will continue to enhance the security of its systems.”