An old HIPAA incident rears its very ugly head again
Like other journalists who cover data breaches in the healthcare space, I routinely check HHS’s public breach disclosure tool (sometimes called “The Wall of Shame”) to see what breaches have been reported to them and with what numbers.
One of the recent entries was from a “Stephan C. Dean” who listed himself as a business associate in California. The breach reportedly involved 70,000 patients and was described to HHS as a “Hacking/IT Incident” where the protected health information had been located on “Desktop Computer, Electronic Medical Record, Email.”
Because I suspect my fellow breach reporters are wondering about this one, I’ll try to explain what it’s about — at least as far as I understand it.
Beginning in July, 2012, the Los Angeles Times and this site reported on a business dispute involving Kaiser Permanente and its business associate, Surefile Filing Systems. Surefile is owned by Stephan Dean and his wife, Liza. The conflict involved the return of all records to Kaiser after Surefile had performed work for them. While Surefile had returned the paper records and Kaiser believed that ALL records had been returned to them, they subsequently learned that Surefile remained in possession of emails that contained patient information — not patient medical records, but spreadsheets and information about patients that had been transmitted to Surefile as part of the work they had done for Kaiser. In some cases, that information also included patients’ Social Security numbers.
A confidential settlement that was reached in March, 2011 ultimately fell apart. Dean informs this site that although Kaiser offered him $250,000 and a new settlement agreement if Surefile would turn over their computers and give Kaiser access to their email accounts, Dean wanted $600,000.
In early 2012, Dean filed a complaint against Kaiser with HHS, claiming that they sent him unencrypted emails containing ePHI, and had violated HIPAA in other ways as well. He also claimed that the privacy and security ePHI on his computer may have been compromised by some viruses. The following year, HHS would notify Kaiser that it was opening an investigation into the complaint.
From filings this site has seen, their case did not go well for them and they decided to dismiss it. To add to Kaiser’s losing record in the conflict, the California Department of Health allegedly investigated Kaiser and made them adopt a corrective action plan. The only break Kaiser Permanente seemed to catch in this case during that period was that HHS closed their investigation without further action or any penalty, even though Kaiser had not had a proper business associate agreement in place with Surefile before it turned over patient records to them. The OCR letter provides a good summary of the dispute and where things stood as of September, 2013.
But even after dismissing their civil suit, Kaiser didn’t give up on trying to get those email files. In February, 2014, the FBI raided Surefile and seized all their computers and devices. In 2017, the government returned the devices to Surefile without wiping them because no charges were filed against the Deans or Surefile.
So the Deans still had all those unencrypted emails on their computer which, by their own prior statements, may have previously been compromised by viruses, and was not being kept in a particularly secure facility. They tell DataBreaches.net that they repeatedly tried to get Kaiser to help them encrypt the emails, but that Kaiser wouldn’t help them. The Deans’ request was not without strings, it seems. Uninvolved third parties looking at the history and correspondence might understandably think that the Deans were trying to shake Kaiser down for more money, although Dean denies that they are doing anything of the sort.
Then in August, 2019, Microsoft informed Surefile (and many others) of a breach.
From: Microsoft account team
<[email protected]<mailto:[email protected]>>
Sent: Tuesday, August 20, 2019 9:32 PM
To: [email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]om>>
Subject: Microsoft account security alert
Microsoft account Security alert
We think that someone else might have accessed the Microsoft account firstname.lastname@example.org<mailto:email@example.com>. When this happens, we require you to verify your identity with a security challenge and then change your password the next time you sign in.
If someone else has access to your account, they have your password and might be trying to access your personal information or send junk email.
If you haven’t already recovered your account, we can help you do it now.
Learn how to make your account more secure<http://go.microsoft.com/fwlink/?LinkID=263818>.
The Microsoft account team
Dean obtained the IP address of the unauthorized individual who accessed his account and contacted Kaiser to inform them of the possible breach involving patient information still on his computer. And he informed them that if they did not make notifications, he would be obligated to. Dean sent Kaiser a sample of the unencrypted data that still resided on his computer.
And once again, Dean tried to get a new settlement agreement — one that would supercede the one that had been signed in March, 2011.
Kaiser responded to Dean’s notification by asking numerous questions to help them determine whether this would be a reportable breach under HIPAA and HITECH. Dean did not give them the answers, claiming it required a forensic expert to determine and he would make the computer available if there was a letter of intent concerning a new agreement. And yes, it would involve some payment to the Deans.
In January, 2020, counsel for Kaiser Permanente wrote to Dean:
As previously stated in numerous communications over the years, KP is willing to engage a third party forensic IT consultant to wipe the Dean’s computers, disks, drives, phones, and email accounts that contain any and all PHI and saved either locally or remotely at no charge to the Deans if the Deans are unable to wipe their devices and email accounts themselves. If the Deans want to avail themselves of this offer, then they must agree to surrender their devices and email account information (including passwords) to an IT forensic expert engaged by KP to perform this wiping service. KP will not charge the Deans any money to perform this service on their behalf – and KP will not pay the Deans any money either, for any purpose whatever, including but not limited to reimbursement for time or moneys expended in furtherance of the forensic activity or as settlement of past disputes.
And at some point thereafter, Kaiser Permanente stopped responding to Dean’s communications altogether. So a few weeks ago, Dean filed a report with HHS claiming that 70,000 patients were (potentially) impacted.
DataBreaches.net asked Dean where he got the 70,000 number from when some of the correspondence he had shared with this site mentioned 7,000. He replied that the 7,000 was in reference to just the sample Kaiser had been provided and:
Data base created was over 70 thousand, that is tip of iceberg could be PHI on close to a million. Forensic accounting only way to determine.
So data from an incident that was reported years ago was potentially compromised again in a 2019 breach. If notification to individuals was required again now in light of some new risk, then it should have been made by the end of October, 2019. But how could Kaiser determine if notification was needed if Dean wouldn’t cooperate without them having to agree to a number of terms that included some more payment? And how could they notify anyone without the cooperation of Dean?
Dean informs this site that there is currently no litigation involving his firm and Kaiser.
DataBreaches.net reached out to Kaiser to discuss the case via email on two occasions last week, including contacting the in-house lawyer who was representing them in the matter, but received no reply.
This post may be updated if Kaiser does respond with a statement. Or it may be updated if I learn that I’ve unintentionally misstated any of the chronology or claims. This saga/case is just a hot mess and difficult to report on.