14 June 2022

DATA BREACH Exposes health data of 69K people

Intro: While Kaiser Permanente did not reveal the exact number of affected patients in the breach notice, information filed with the U.S. Department of Health and Human Services Office for Civil Rights shows that this incident has led to 69,589 individuals having their PHI (Personal Health Information) exposed.

We Have A Breach Violation GIF - We Have A Breach Violation Negligence GIFs

Kaiser Permanente data breach exposes health data of 69K people

Kaiser Permanente, one of America's leading not-for-profit health plans and health care providers, has recently disclosed a data breach that exposed the health information of more than 69,000 individuals.

Founded in 1945, Kaiser Permanente provides health care services to over 12.5 million members from 8 U.S. states and Washington, D.C. 

The company revealed in a notice published on its website that an attacker accessed an employee's email account containing patients' protected health information (PHI) on April 5, 2022, without authorization.

"This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorized access incident on April 5, 2022," the health care provider said.

"The specifics of the unauthorized access were provided to individuals affected in a letter sent by Kaiser Permanente on June 3, 2022."

Sensitive info exposed in the attack includes:

  • The patients' first and last names
  • Medical record numbers
  • Dates of service
  • Laboratory test result information

The organization says no Social Security numbers and credit card numbers were exposed during this breach. 

The security incident only affected the Kaiser Foundation Health Plan of Washington patients.

Access to breached email severed within hours

Kaiser Permanents terminated the attacker's access to the email account within hours and began investigating the incident to assess its impact.

"After discovering the event, we quickly took steps to terminate the unauthorized party’s access to the employee’s emails," Kaiser Permanent added [PDF].

"This included resetting the employee’s password for the email account where unauthorized activity was detected.

"The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future."

The health care provider did not find evidence that the PHI stored in the hacked email account was stolen or misused after the incident but couldn't completely rule out this possibility.

Related Articles:

Shields Health Care Group data breach affects 2 million patients

Mandiant: “No evidence” we were hacked by LockBit ransomware

FBI seizes domains used to sell stolen data, DDoS services

GitHub: Attackers stole login details of 100K npm user accounts

General Motors credential stuffing attack exposes car owners i

No comments: