Kaiser Permanente Employee Improperly Accessed EHR

On Nov. 18, Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. posted an alert to its website regarding a privacy incident for some Kaiser Permanente patients. Letters have been sent to impacted patients, although the alert on the website says that some letters were undeliverable, and the organization was not able to find current addresses for some patients.

The alert says that “On September 21, 2022, Kaiser Permanente determined that one of its employees inappropriately accessed portions of medical records for patients in the Mid-Atlantic region without a reasonable basis. An investigation determined that the former employee’s access was outside the scope of their permissible job functions. We reported these facts to federal agencies to meet our obligations under applicable laws and regulations.”

Further, “No Social Security numbers or financial information were involved in this incident. Additionally, there is no evidence that the accessed information has been used or shared to commit fraud or any other criminal activities. Our investigation determined that demographic information (including name, medical record number, address, email address, contact telephone number(s), and date of birth), and medical information was viewed, and, in some cases, photos were also viewed.”

The alert goes on to explain that the individual responsible is no longer employed at Kaiser Permanente and the incident has been reported to federal agencies. Additionally, the organization is reviewing its policies and procedures surrounding patients’ medical records.

Kaiser Permanente urges patients who would like more information on ways to protect themselves against identity theft to visit the Federal Trade Commission’s Identity Theft website.