Kaiser Permanente Data Breach

Earlier this month, healthcare provider Kaiser Permanente disclosed a data breach that exposed the protected health information (PHI) of thousands of their patients. In a notice dated June 3, 2022, the organization admitted that:

On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.

The sensitive information exposed in the email hack includes:

• Patients’ first and last names
• Medical record numbers
• Dates of service
• Lab test results

The notice states that social security numbers and credit card info were not exposed in the breach.

After discovering the breach, Kaiser terminated the hacker’s access to the employee’s emails. They further stated that “the employee received additional training on safe email practices,” suggesting that the attack may have been unwittingly facilitated by an undertrained user.

The notice does not disclose how many people were affected by the breach. However, as required by HIPAA and HITECH laws, breaches exposing protected health information are posted by the U.S Department of Health and Human Services. A quick search of the database showed that this event affected 69,589 individuals (see screenshot below).

Lessons Learned

There are a few things we can learn from the incident:

• Make sure employees receive Security Awareness Training before they are attacked, not after 70K sensitive records are already exposed. A great security awareness training program engages users by sending simulated phishing emails and testing them on their security skills.
• Invest in multi-layered security like AllSafe IT’s Safe Total. While email is the top attack vector that cybercriminals exploit, you should make sure you have defensive measures in place at all levels including computers, servers (including cloud servers), mobile devices, wireless access points, firewalls, and websites.
• Verify unusual or significant requests over the phone. If in doubt, pick up the phone and call the alleged sender to verify if they sent the request. Make sure to use a phone number you trust and not a number listed in the email.

About AllSafe IT

AllSafe IT is an IT services, consulting, and IT support firm with a dedicated, certified team of technology experts with a client base spanning a wide range of industries. In today's ultra-competitive world, businesses who don't utilize the full potential of their IT systems often fall behind their competitors - which can ultimately lead to failure. Our services are custom tailored to ensure that your business not only survives, but thrives.