Stolen iPad Leads to Potential PHI Exposure at Kaiser Permanente

July 28, 2022 - On May 20, an unknown individual broke into a locked storage area at the Kaiser Permanente Los Angeles Medical Center and stole an iPad, which led to potential protected health information (PHI) exposure for 75,010 individuals.

The unauthorized individual stole the password used to access the iPad along with the device itself. Kaiser Permanente used the iPad at its COVID-19 testing site and it contained photos of lab specimen labels.  

The photos contained patient names, medical record numbers, and dates and locations of service. Kaiser Permanente said it had no evidence that the information was accessed or viewed by the individual. Kaiser Permanente said it immediately notified law enforcement and remotely erased all data from the iPad, including pictures.

“Kaiser Permanente is taking appropriate steps to prevent this type of incident from recurring including, but not limited to, relocating devices to a more secure location and strengthening internal practices and procedures,” the notice stated.

Blue Shield of California Suffers Fourth-Party Vendor Breach

Bule Shield of California Promise Health Plan informed 1,506 individuals of a data breach that originated at OneTouchPoint (OTP), a subcontractor of Blue Shield vendor Matrix Medical Network.

On April 28, 2022, OTP discovered suspicious network activity and later confirmed that a ransomware attack had occurred. Blue Shield learned about the incident on May 20.

OTP immediately stopped the unauthorized access and further investigation revealed that the hacker potentially accessed PHI. The accessed data potentially included names, subscriber ID numbers, birth dates, sex, physician demographics, advance directives, diagnoses, medications, social history, vitals, immunizations, encounter data, allergies, assessment ID numbers, and assessment dates.

“Blue Shield takes this incident very seriously. We are committed to maintaining your privacy. OTP immediately terminated the unauthorized access, took mitigation actions, and began an investigation into the matter. OTP is also evaluating the need for additional steps and will continue to make security improvements,” the notice stated.

Clinivate Notifies 77K of EHR Data Breach

Clinivate, which provides an EHR solution for behavioral health agencies and schools, recently began notifying 77,652 individuals of a data breach that occurred in March 2022.

Clinivate discovered suspicious activity in its digital environment on March 23 and immediately launched an investigation. The investigation revealed that an unauthorized party had accessed certain systems and files containing personal information between March 12 and March 21.

The information potentially included names, medical record numbers, health plan beneficiary numbers, Social Security numbers, treatment information, diagnosis information, and other medical information.

“As soon as Clinivate discovered this unusual activity, it took steps to secure the environment, investigate, review the impacted data, and enhanced security measures to help prevent a similar incident from occurring in the future,” the notice to impacted individuals stated.

“Clinivate also notified the Federal Bureau of Investigation and will fully cooperate with any investigation.”