Search Results : Kaiser fined

Jul 162009

The Kaiser Permanente hospital in Bellflower has been hit with a $187,500 fine for failing for a second time to prevent unauthorized access to confidential patient information, state pubic health officials said today.

[Updated at 3 p.m.: A spokesman for the hospital said the fine was part of the ongoing investigation into employees improperly accessing the medical records of Nadya Suleman and her children. Disciplinary action has been taken against the employees, said Jim Anderson, a hospital spokesman. All the incidents occurred in January; a previous post said they had occurred in April and May.]

State officials said Kaiser Permanente Bellflower Medical Center compromised the privacy of four patients when eight employees improperly accessed records. This is the second penalty against the hospital, officials said.

The hospital was fined $250,000 in May for failing to keep employees from snooping in the medical records of Nadya Suleman, the woman who set off a media frenzy after giving birth to octuplets in January.

Read more in the Los Angeles Times.  Keep in mind that this is not HHS fining them under HIPAA, but the state fining them.

Jan 242018

I like seeing state attorneys general take enforcement action over breaches, even if the amount of the monetary penalties is quite small, as in this case. This case may remind people who have offices or satellite offices in their homes that they can’t just leave employee or patient data lying around where anyone can see it or easily access it.

TOPEKA – (January 18, 2018) – A Topeka healthcare company and its owners have been fined for failing to protect patient and employee records, Attorney General Derek Schmidt said.

Pearlie Mae’s Compassion and Care LLC, and Ann Marie Kaiser and Jenell Jones, the owners of the company that provides care for disabled consumers, agreed to pay an $8,750 civil penalty for violations of the Wayne Owen Act, which is part of the Kansas Consumer Protection Act. The consent judgment, which was approved last week by District Judge Franklin R. Theis in Shawnee County District Court, also requires the defendants to make changes to their business practices in accordance with state laws and to pay the attorney general’s investigation costs.

In June 2017, during the course of assisting the Topeka Police Department in executing a search warrant, special agents of the Kansas Attorney General’s office observed patient and employee records containing personal information in Kaiser’s home, which also served as one office location for the company. The records were found in open view, unsecured and accessible to anyone in the residence, including persons who had no legitimate business reason to access the personal information in the records. A lawsuit filed by Schmidt in June alleged the defendants failed to implement and maintain reasonable procedures and practices to protect personal information and by failing to take reasonable steps to destroy or arrange for the secure destruction of records containing personal information when the records no longer are to be used.

“Personal information” includes information such as a social security number, driver’s license number, financial account number or credit or debit card number that can be misused to commit identity theft or otherwise harm the person whose information is compromised. It also includes any information, such as medical records, for which a security obligation is imposed by federal or state statute. Under Kansas law, businesses that collect the personal information of others have a duty to safeguard it.

A copy of the consent judgment is available here .

Source: Kansas Attorney General Derek Schmidt

h/t, WIBW

May 152009

Raquel Maria Dillon of the Associated Press reports that California has fined Kaiser Permanente $250,000 because hospital employees inappropriately accessed medical records for octuplet mother Nadya Suleman when she was a patient at the Bellflower facility.

Although the fine is the first one passed under California’s new law boosting medical privacy, it is not the first fine incurred by Kaiser Permanente for violating patient privacy. In 2005, the state fined them $200,000 for exposing patient information on the web.

Jan 032010

The breach of Heartland Payment Systems grabbed the headlines for much of the year and the entire population of Belize had their birth details stolen when a government employee left a laptop in a car, but what else went on?

Your details, my friend, were blowing in the wind
Although the number of breaches involving paper records does not appear to have increased from 2008 to 2009, by the end of the third quarter, paper breaches comprised more than one quarter of U.S. breaches reported in the media this year.  The federal government sent  a strong message when it fined  CVS $2.25 million for violating HIPAA by improperly disposing of pharmacy records, but was anyone else listening?

Doctor, doctor, give me the news
Almost a year after it first reported receiving an extortion attempt with evidence that the extortionist had acquired members’ prescription records, pharmacy benefit management firm Express Scripts reported that the extortionist had acquired much more data than they originally believed. In April, the Virginia Prescription Monitoring Program database was hacked and they, too, received an extortion demand.

As in past years, we saw some large breaches involving health insurers. Blue Cross Blue Shield reported two major breaches – one involving a stolen laptop and one involving stolen hard drives.  To the irritation of a number of states attorney general, Health Net belatedly reported the loss of a hard drive with many members’ insurance or health-related information.

Over in the U.K., it seemed that every month we were reading about yet another NHS unit that had breached the Data Protection Act and was now required to sign an “Undertaking” with the Information Commissioner’s Office. We also learned that an outsource transcription service in India was selling patient information.

If the healthcare sector doesn’t make you ill, the malware will
2009’s “new math” was that hacking + malware = big trouble. The Heartland Payment Systems breach grabbed the spotlight on that in January, only ceding it temporarily when a 2008 RBS WorldPay resulted in a coordinated attack on over 2000 ATMs  to the tune of $9 million in a few hours.   Protesting their PCI-DSS compliance, the two processors were banished from card brands’ approved list, but within months, were restored to approved status. 

Malware also started rearing its head more in social media networks and online banking, and a number of small businesses found themselves taking their banks to court over funds that were stolen from their accounts. And of course, despite all of the scam alerts, some people fell for phishing attempts. That would be bad enough, but when you read that 46% of all Brits use the same login/pass for all of their accounts, the problems are magnified.

On a positive note, several master cybercriminals such as Ehud Tenenbaum and Albert Gonzalez pleaded guilty to involvement in numerous large breaches, but not all of their accomplices have been apprehended and we have not been told about other payment processors that were under attack. In October, we started getting reports about a major breach in Spain that is affecting cardholders in Europe and beyond, but we have not yet been told whether it is a card processor or other entity that is the source of the breach and whether or not it involved malware.

And as we struggled to learn names from Russia, Estonia, Romania, and Latvia, each week seemed to bring new headlines of ID theft rings that had been broken up by law enforcement. Many of the local rings did not involve malware, however, but used much more low tech approaches.

2009 was a “fine year”
Among the most publicized fines for inadequate security or breaches: TJX paid almost $9 million to settle with 41 states attorney general, Heartland Payment Systems paid American Express $3.6M over its 2008 data breach and claimed that it is fighting MasterCard‘s more than $6 million fine. Over in the U.K., the Financial Services Authority (FSA) fined HSBC Life UK, HSBC Actuaries and Consultants, and HSBC Insurance Brokers more than £3m. The FSA also fined UBS £8 million.

The U.S. Commodity Futures Trading Commission fined Interbank FX, LLC (Interbank) $200,000, the Financial Industry Regulatory Authority (FINRA) fined Centaurus Financial (CFI) $175,000, and the Securities and Exchange Commission fined Commonwealth Financial Network $100,000.

It was also a busy year for states attorney general. In addition to the TJX settlement, CVS and Walgreens settled with Indiana’s Attorney General, while Payment Resources International paid a fine to the Vermont Attorney General. BNY Mellon was fined by the Connecticut Attorney General and Blue Cross was fined by the Delaware Insurance Commissioner.  Kaiser Permanente was also socked with a few fines by California over employees snooping in celebrity patients’ files.

That settles that!
In 2009, the FTC settled charges against ChoicePoint, James B. Nutter, Comp Geeks/Genica (Compgeeks), and Rental Research Services, while the Texas Attorney General settled charges against Cornerstone Fitness and the Florida Attorney General settled charges against VICI Marketing.

Class-action lawsuits in response to breaches generally continue to disappoint irate consumers, who seem to keep trying anyway. In 2009, most of the Hannaford Bros. breach lawsuit was dismissed, and an attempt to file a class-action lawsuit against Express Scripts was dismissed. Among the breach-related lawsuits that settled during the year were the 2006 stolen V.A. laptop lawsuit, D.A. Davidson lawsuit, a Heartland Payment Systems class action suit by consumers, and TJX settlements with some banks and 41 states attorney general. Other lawsuit settlements either received preliminary approval or were rejected: Countrywide Financial (approved), TD Ameritrade (rejected), and the Olive Garden FACTA lawsuit (approved). But consumers weren’t the only ones disappointed by lawsuit outcomes in 2009. Cumis was dealt a blow when the Massachusetts Supreme Court ruled that BJ’s Wholesalers and Fifth Third Bank were not liable to Cumis for the costs it incurred after the BJ’s breach.

Also new in 2009: two groups of restauranteurs filed lawsuits against Radiant Systems, alleging that the vendor’s software was not compliant and was responsible for the hacks they suffered in 2007 and 2008.

New laws delayed, watered down, nonexistent
This year, the FTC introduced new Red Flag Rules in the hope of reducing identity theft. The effective date was delayed and delayed…. and groups successfully sued to be exempt from the rules. Similarly, Massachusetts’ new data security regulations were amended and are now slated to go into effect in March 2010, but I’m not holding my breath on that. Of course, we still have no federal data breach notification law, and some of the proposed laws don’t even include mandatory notification of paper breaches. The new HITECH Act which sounded pretty good when Congress passed it got watered down by HHS to include a “harm” threshold that Congress had rejected. The law has been in effect since September, and to date, the public web page where reported breaches are to be posted is…. empty.

And to add further insult to injury, Governor Schwarzenegger vetoed a privacy protection bill that would have made California’s protections even stronger.

So what will you remember about 2009 breaches? You can use the comments section below to add your memories or commentary.

Jun 062008

Yesterday’s Kaiser Daily Health Policy Report reported:

Lawmakers, patient-privacy and health care advocates, and information technology experts on Tuesday “debated … how Congress can strike a balance between accelerating the adoption of a nationwide system of electronic medical records while protecting patient privacy,” CongressDaily reports (Noyes, CongressDaily, 6/4). The House Energy and Commerce Subcommittee on Health hearing focused on a health IT bill drafted by Committee Chair John Dingell (D-Mich.) and ranking member Joe Barton (R-Texas). The bill would require the federal government to set software and hardware standards for health programs, such as Medicare, and assist providers in purchasing and establishing health IT systems (Wayne, CQ Today, 6/4). (Full story)

Having watched most of the hearings, I found myself occasionally shaking my head and wondering what it will take before some members of Congress realize that this is not about Congress finding a “balance” between privacy and a nationwide system of EMR. Suggesting that there even should be a “balance” indicates that the individual simply does not grasp the fundamental and nonnegotiable point that if Congress does not ensure privacy and security, a significant chunk of our society will simply not agree to nor sign on to the use of EMR, PHR, or digital storage of their data on any device connected to the internet.

Let’s stop wasting time talking about “balancing” privacy and interoperability and figure out how to adequately ensure privacy and security in a cost-effective way.

As both a healthcare professional and a privacy advocate, there are a few basic principles of healthcare in our country’s tradition and history that I think warrant repeating here:

1. Healthcare is predicated on confidentiality.
2. Healthcare requires informed consent.
3. The primary purpose of healthcare is the welfare of the individual and society, not the pocketbook of industries.
4. Those involved in healthcare are held accountable.

The challenge is to implement those fundamental principles into EMR and online systems.

Translating Confidentiality into Digital Health

The principle of confidentiality translates into the commitment to keeping an individual’s health information protected and private. But Congress, HHS, and the states have so far failed to achieve reasonable security for PHI in digital form. HHS has not fined a single entity for violation of the HIPAA Privacy Rule since its implementation in April 2003, and outcomes of any CMS/DOJ investigation of violations of HIPAA’s Security Rule are generally not shared with the public. provides chronologies of breaches that were reported in the media beginning with the implementation of HIPAA’s Privacy Rule in April 2003. Has Congress or the GAO analyzed the data in these chronologies to determine the patterns and areas in need of correction? I doubt it. Congress and the GAO have the power to require entities to submit more data on breaches, and to integrate those reports with what we have seen reported in the media and reports to the FTC. Why hasn’t that been done? Using other sites that are focused on financial fraud tends to underestimate the number and extent of breaches involving health-related information. Only has tried to compile all media reports that include hacks, stolen laptops, improper disposal of paper records, and other types of breaches. Indeed, had the Kaiser representative on the panel been a reader of this site, he would have been able to answer Rep. Markey’s questions about post-2005 incidents (the answer is that there have been other incidents involving Kaiser involving stolen laptops in both 2006 and 2007).

In 2008 alone, we have seen some significant breaches involving health information. In April, this site’s parent site, exposed two breaches involving WellPoint, Inc. that affected over 130,000 individuals and that appeared to involve millions of personally identifiable records. For all the public knows or was told, WellPoint may have exposed over 34,000,000 people’s records for over a year through their inadequate server security. But WellPoint did not answer questions, Congress did not investigate the incident so that it could learn what provisions it might need to incorporate in any new laws, and segments of the public are left wondering whether they can trust anybody with their health data. The fact that WellPoint — the country’s largest public health insurer — has had at least four breaches in less than two years involving unencrypted data — should make any member of Congress who suggests that privacy advocates are overreacting in our concerns blush.

Just this past week, we learned that some students at University of California – Irvine were the victims of the income tax refund fraud. After months of investigation, the source of the problem was linked to UnitedHealthcare, who provided health insurance for the 1,132 graduate students. UHC has not revealed any details about the breach, so again, we are left wondering what caused the security failure, and how many people might ultimately have been at risk.

Insurance companies are not the only source of concern, however. We have seen reports from government contractors such as SAIC where 900,000 people had their personal health information compromised due to security breaches.

In every sector, PHI is at risk, and once sensitive information is exposed on the web, there is no way to get it back with any assurance that it has not been duplicated and stored on servers elsewhere for use by criminals. Before Congress asks the public to trust our sensitive information to any system, show us that it will be kept secure and private.

During the hearings this week, Dr. Deborah Peel of recommended that any new legislation include a definition of privacy. I concur. Where I do not agree with her is in her apparent willingness to waive an individual cause of action. Congress erred by not including individual cause of action under HIPAA and it should correct that error now. Violation of a patient’s privacy or confidentiality deserves accountability and the patient should be able to have recourse in a court of law.

Informed Consent

One of’s recurring themes is that our health information is being data mined beyond our worst nightmares and that most people have no idea who has custody of their information or how it is being used for commercial gain. Certainly, the more entities that have custody of our health information, the greater the risk of a privacy and security breach. But even putting that serious concern aside for the moment, patients’ identifiable health information should not be sold or exchanged with any commercial entity who is not involved in the provision of care or processing of payment for care without the patient’s informed and opt-in consent.

Industries and organizations routinely push back hard against informed and opt-in consent. They may try to rationalize their pushback on the basis of promoting patient care, but the reality is that most uses are not patient care. This needs to stop. Patients should be able to sign a consent form that clearly specifies the nature of parties with whom information may be shared without further request for signed consent (e.g., laboratories to whom samples may be sent, payment processors, other doctors the patient is referred to if the patient wants the referral, etc.). But the consent stops there and does not transfer down the chain of custody — or should stop there for non-treatment purposes — and if those parties want to be able to do anything else with the data or information, they should be required to obtain the written and informed opt-in consent of the patient.

If businesses do not want to ask for consent for fear that patients will say “no,” then that is precisely why Congress must insist that patients be asked. It is inexcusable that Congress should cave in to industry pressure on this point. Informed and opt-in consent will inspire patient trust in the system and better protect the privacy and security of the data.

EMR and Networked Health Must be Patient-Centric

Historically, businesses have had the money to lobby Congress while grassroots or patient rights organizations lack the means to level the playing field. In her presentation, Dr. Peel spoke of her experiences as a psychiatrist and the reluctance of patients to seek mental health or to have any trail of mental health care in their records. She also spoke of returning wounded warriors who may be reluctant to seek care for fear of stigma or the treatment becoming a part of their record that will be available to too many or accidentally exposed in a security breach.

My professional experience mirrors Dr. Peel’s. As a mental health professional, I must deal daily with the fears of patients who do not want their insurance carriers to have sensitive information about them. Their only recourse is to pay directly and not submit claims for reimbursement. Once the insurance company has the information, the patients know that there is a real risk that it may be used against their interests at some point or it will wind up exposed in Google or in the hands of hackers who may use the information for medical ID theft or garden variety fraud or ID theft.

While networked care has the potential to serve many people well, it will not serve people who cannot trust the system.

Disclosure and Notification

During the hearings, it was suggested that the proposed threshold for notification and disclosure was too low. The panel of experts agreed. I disagree. Again, as an issue of trust, if someone has custody of your PHI and loses it or has it stolen, then it is incumbent that the patient be notified. It should not be up to the party who lost the data to determine the risk to the individual, because the issue is not just risk of ID theft, financial fraud, or embarrassment. The issue is trust between the patient and provider and the best way to promote trust is to say that whenever there is an incident, the patient will be notified.

In the alternative, Congress could simply mandate giving patients the choice about whether they would want to be notified. Initial informed consent forms could include a provision in the patient’s primary language that says, “If …., then do you want to be informed, and if yes, how do you want to be notified — by mail, phone, or email?”

As part of a national initiative, Congress should also include two additional provisions:

1. Any covered entity who experiences a breach must post a notice on its web site, with a prominent link from the home page of the site showing site visitors where they can read any such notices, and

2. All entities who experience a breach should be required to report it to HHS, who should then post a link to the notification on a special web site that consumers and the public can check.

I realize that businesses and entities will not want to do these things. No one likes to admit publicly that they had a problem. But if all entities were held to the same standard, consumers and patients would be in a better position to determine who should be trusted and who shouldn’t.


There was no discussion of outsourcing during the hearings this week, but how will Congress ensure privacy and security and accountability if covered entities outsource to companies outside of U.S. law? Just this past week, we learned that an outsource in India for an American marketing firm stole the firm’s data after the firm canceled their contract. They then sold it off to the company’s rivals. Many of the firm’s mail lists included medically related lists, such as those on particular medications or with particular diagnoses. Who is going to be responsible here?

Fix HIPAA or Torch It?

During the hearings, the question was raised as to whether to try to fix HIPAA or just start over? Dr. Peel indicated her willingness to work on fixing it. But to fix HIPAA requires a major overhaul that would expand the definition of covered entities to include any entity in possession of certain types of information, and it would require inclusion of notification and disclosure provisions that are vastly stronger than the current provisions. Under the existing rules, there is simply no requirement to notify patients of a breach. There is an obligation to mitigate harm, but not to notify. That is wholly unacceptable. There is also no individual cause of action for a willful privacy violation, and that, too, is unacceptable. It is hard to find what is “right” about HIPAA for the digital age in which we live. It is time to move on.