Kaiser Permanente, an HMO (Health Maintenance Organisation) is notifying 29,500 of its Northern California employees that a security breach has led to the release of their personal information, including social security numbers.
Kaiser Permanente has a long history of having its patients' confidential data comprised by security breaches. Apparently, it is not very good at protecting its employees' confidential data, either.
On Friday, California-based Kaiser said that a "handful" of employees have reported identity thefts as a result of the breach. It did not involve Kaiser member information and no personal health details have been jeopardised, according to a written statement issued by Gay Westfall, senior vice president of human resources for the Kaiser Foundation Health Plan.
This theft came to light after the arrest of San Ramon resident Mia Garza, 28, on 23 December on suspicion of possession of stolen property and forgery. In a confiscated computer, San Ramon police later found a file with Kaiser employee data. Westfall said that Kaiser Security and IT departments immediately launched an internal investigation and are working to determine the source of this breach.
In a blog comment, someone claiming to be a Kaiser employee said: "29,500 of us were notified that our names, gender, address, phone number, date of birth and rate of pay were in the stolen information in that computer file. Who knows how many other people this person may have shared or sold our information to? One year isn't nearly long enough for Kaiser to provide credit monitoring. Will they also compensate any and all costs an employee incurs if their stolen information is used to open new accounts? On the upside, thank God the thieves only got everything they need to open credit lines in my name. I'll sleep easy tonight knowing that the date of my last flu shot is still a closely guarded secret."
On Friday, Gerri Ginsburg, a Kaiser spokeswoman, said that about 6,000 of the 11,000 workers in Sacramento and Roseville area clinics and hospitals are affected.
After Garza's arrest, San Ramon police learned she had been under federal investigation since June 2008 for bank fraud and identity theft, according to Hilary Smith, a spokeswoman with the US Postal Inspection Service in San Francisco. Smith said that Garza's case has been turned over to the US attorney.
Kaiser officials said they do not know how the theft occurred or the extent of fraudulent activity. Kaiser officials said company policy requires the encryption of data on laptops and mobile devices, but declined to comment on whether data on the stolen file was encrypted.
According to Privacyrights.org, which maintains a chronological listing of data breaches, Kaiser has had confidential patient data compromised on four occasions in the last four years, all of them stemming from lost or stolen laptops.
In March 2005, the California Department of Managed Health Care slapped Kaiser with a $200,000 fine for exposing the confidential health information of 140 patients. In July 2006, a laptop containing data on 160,000 Kaiser patients was stolen, although the data didn't include social security numbers. In November 2006, a stolen Kaiser employee laptop exposed personal data - but not social security numbers - from 38,000 patients in Colorado. And in February 2007, a Kaiser doctor's laptop was pilfered, this time leading to the exposure of 22,000 patient records, 500 of which included social security numbers.
Kaiser Permanente has a long list of detractors on the internet. Among the most vocal and longest lasting are the Kaiser Papers. They claim to be building a digital library of Kaiser Entities/ Permanente Medical Groups articles and artifacts in digital form. They provide free access to researchers, historians, scholars, and the general public. The other is Kaiser Thrive, whose motto is : "Failure to Thrive - A Managed Care Watch Web Site".
ITExaminer spoke with a data security analyist and network designer. He said that one of the biggest threats to data security is inconsistent implementation of procedures about data access. However, it is his experience that the real problem is human. People think that data security procedures are too cumbersome or do not apply to them. X