Kaiser Foundation Health Plan of Washington sent a notice to some of its patients on June 3 regarding a security incident. The incident, according to the notice, happened on April 5.
The notice says that “On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.”
Further, “We do not have any evidence of identity theft or misuse of protected health information as a result of this incident. However, we take this incident seriously, and this notice provides details of the incident and our response.”
The notice explains that the protected health information that was possibly exposed includes first and last name, medical record number, dates of service, and laboratory test results/information. Kaiser says that “sensitive information” like social security numbers and credit card numbers were not included in the potentially exposed information.
According to a June 14 article from TechCrunch by Carly Page, Kaiser has not revealed the size of the breach, but a separate filing with the U.S. Department of Health and Human Services confirmed that 69,589 individuals were affected.
Page reports that “TechCrunch asked Kaiser how an unauthorized third-party was able to gain access to the employees’ emails but the company would not comment by press time. However, it said in its notice that the hacked employee ‘received additional training in safe email practices,’ suggesting the breach may have been the result of either credential stuffing or phishing. Kaiser added that it is ‘exploring other steps we can take to ensure incidents like this do not happen in the future,’ but the company would not say what these steps were.”