Breach Leaves Thousands Of Kaiser Permanente Employees Checking Their Credit Report (update)
KXL FM reports that Kaiser Permanente has sent notifications to some current and former employees after their data were found on an external hard drive purchased in a second-hand store in September 2011:
Maryann Schwab with Kaiser Permanente says names, phone numbers, social security numbers and other personal information was found on a non-Kaiser external hard drive in September of 2011. The person that bought the hard drive called Kaiser and is gave (sic) the hard dive up to police. “The information on the hard drive was downloaded to it in 2009” said Schwab, “since then KP has taken steps to bolster the fire wall for sensitive data.”
A delay in notifying of over five months? That seems unusually long by today’s standards. I expect/hope we’ll see some explanation or statement from KP to explain the delay. Because this is not patient information, California’s 5-day notification law does not apply. Nor does HITECH’s 60-day timeframe. Will the state do something to fine KP for the delay? If this were Connecticut, I’d bet yes, but I’m not placing any bets on what California will do in this situation.
Update: Please see comment below for text of KP’s notification letter.