Breach Leaves Thousands Of Kaiser Permanente Employees Checking Their Credit Report (update)

KXL FM reports that Kaiser Permanente has sent notifications to some current and former employees after their data were found on an external hard drive purchased in a second-hand store in September 2011:

Maryann Schwab with Kaiser Permanente says names, phone numbers, social security numbers and other personal information was found on a non-Kaiser external hard drive in September of 2011.  The person that bought the hard drive called Kaiser and is gave (sic) the hard dive up to police.  “The information on the hard drive was downloaded to it in 2009” said Schwab, “since then KP has taken steps to bolster the fire wall for sensitive data.”

A delay in notifying of over five months? That seems unusually long by today’s standards. I expect/hope we’ll see some explanation or statement from KP to explain the delay. Because this is not patient information, California’s 5-day notification law does not apply. Nor does HITECH’s 60-day timeframe. Will the state do something to fine KP for the delay? If this were Connecticut, I’d bet yes, but I’m not placing any bets on what California will do in this situation.

Update: Please see comment below for text of KP’s notification letter.

About the author: Dissent

11 comments to “Breach Leaves Thousands Of Kaiser Permanente Employees Checking Their Credit Report (update)”

You can leave a reply or Trackback this post.
  1. Breach Sept 2011 - March 23, 2012

    Ok so im a kaiser Employe and this just was found out ? ok Well if you look Back in 2009 Kaiser had a Breach Then too in CA Area from a Lady called Mia it was on the news there in CA She got info from a known source i belive it was OFN union ?, this Hard drive they received steems back from Feb. 2009 if you listened to the spokes lady from Kaiser it was copied in 2009 to that hard drive , And if you look back to 2007 there was a Class action on Kasier whitch was filed in Oct 2009 because of a small fraude grp of 20 people or so. And Kaiser says it was only a few MO. try 3 to 5 years they have known about this as far as i see it .
    Someone needs to investigate this , i belive they have been keeping this from us a long time .
    Why isnt someone doing something about this? what can we do as Kaiser employes besides take the small here you go for a year and your safe sorry about that ,
    Something needs to be done ,

    We need help to make sure this never happens again and what do the thousands of us do wait and watch our credit report

    is there any way to file a Class action suite ? Kaiser i belive has been keeping this from us and it has been Years this has been going on and we just Got told about this in a letter ?

    Thanks kaiser your the best Employer (not) Glad im retireing this year as long as my retirement plan is still there

  2. Breach my ass - March 24, 2012

    They waited to notify because they are more worried about covering their UNETHICAL ass! If you Google Kaiser Fraud and corruption you will get over 100,000 sites in less than a second. The company is an organized for profit crime, I know this because I am a former healthcare provider for Kaiser. They DO NOT care about employee’s or patients only the profit. However their are some good doctors at Kaiser, but they aren’t around long, they are either bullied out for being ethical or they quietly leave.

  3. Anonymous - March 27, 2012

    I also was a Kaiser employee that was flabbergasted that I just received a letter in the mail, explaining that ‘none of my health care information was involved’ like this would reassure me that it is okay to have my name, address, and social security number left on some hard drive which was located and identified back in September 2011. My letter was dated March 19, 2012 and neither the FBI or Kaiser cared enough to inform me that my information was at risk and breached!!!! It is a small wonder that now Kaiser wants to make sure that no unusual activity shows up on my credit report, what happens to the past six months worth of activity that I may or may not have been watching closely????? I am ticked to say the least!!!! And I am pursuing this disaster until they know my name and I get personal phone calls back on any updates or changes. I will, for one, keep them accountable for this mistake!

  4. Anonymous - March 27, 2012

    Oh and also my pay stub information was part of this breach…..
    And it was told to me that this information occured prior to when 2009 controls were put in place, ie encryption and firewalls, so what happened to my information prior to end of 2009? I worked for them for many years????????

  5. Anonymous - March 27, 2012

    Yes a reported 30,000 employees…..lawsuits/lawyers get ready!

    • admin - March 27, 2012

      What is your source for that 30,000 figure, please? And could you email me a copy of the notification letter you received so I can upload it? I can redact it if you need it redacted, or if you can redact it and email it to this site, that would be great.

  6. Anonymous - March 27, 2012

    My source is Kaiser Permanente.

    Letter contents:

    “We are writing to let you know of a breach of confidential employee information, including some information belonging to you. We take our employee’s privacy very seriously and we sincerely apologize that this happened.

    The data, which was found on a non-Kaiser Permanente external hard drive that was purchased second-hand, included your personally identifiable information, including your name, address, and Social Security number. In some cases, there may have been additional data from Kaiser Permanente pay stubs or Kaiser Permanente COBRA Error, Trust Fund Paid Hours, or Fidelity Savings Plan Deduction reports. None of your personal health information was involved. The most recent employee data found on the hard drive was from 2009 and we have no evidence at this point to indicate that this information has been or will be used for illegal purposes.

    The breach was brought to our attention in late September 2011 by the individual who purchased the hard drive, and we immediately took steps to get possession of the equipment and notified law enforcement. As soon as law enforcement concluded its own analysis of the hard drive, which took several weeks to complete, we bagan our own investigation. Our investigation of the breach is still underway. We have determined the internal source of the data found on the hard drive and are pursuing additional facts, and we are taking appropriate steps to make sure that it does not happen again.

    We understand your concerns about your information being compromised. To help protect you, we are providing you one year of professional credit monitoring at Kaiser Permanente’s expense.

    • admin - March 28, 2012

      Thank you so much for posting that. I don’t see any 30,000 figure in there, though. Where are you getting that number from?

  7. Anonymous - March 28, 2012

    Kaiser Permanente HR Supervisor.

  8. Anonymous - March 28, 2012

    I was told by the credit company(the number on the letter from Kaiser) contracted by Kaiser, that there were approx 30,000 employees confidential information that was breached. I also contacted Kaiser Compliance Hotline and was given a number for Kaiser Security. Kaiser security rep also confirmed the 30,000 employees info breach. Neither Kaiser security nor the credit agency were very forthcoming with much info regarding the details of the breach stating “this is an ongoing investigation” I was told the FBI, Computer forensics and the police were investigating, however not stating which police agency was involved with this investigation. I am a victim of this breach and feel I have a right to know what the hell is going on. I am totally in on a class action law suit and I say we take it to them!!! We as employees have to jump through hoops to keep our members info confidential (which I totally agree with) but Kaiser does not seem to have that same respect for their employees. confidential info.

    • admin - March 28, 2012

      Thanks for explaining where you got the information.

Comments are closed.