Some 5,100 patients treated at Kaiser Permanente were sent HIPAA breach notification letters Friday after a KP research computer was found to have been infected with malicious software. Officials say the computer was infected with the malware for more than two and a half years before being discovered Feb. 12. The computer was used by the Kaiser Permanente Northern California Division of Research to store research data. The breach, officials note, involved patients participating in specific research studies and may have compromised their names, birth dates, medical record numbers, lab results associated with research, addresses and additional medical research data. [See also: Kaiser Permanente sends out breach letters after email gaffe.] "We have confirmed that the infection was limited to this one compromised server, and that all other DOR servers were and are appropriately protected with anti-virus security measures," said Tracy Lieu, MD, director of the division of research at Kaiser Permanente, in an emailed statement to Healthcare IT News. "It is important to note that the compromised server is used specifically for research purposes at the DOR and is not connected to Kaiser Permanente's electronic health records system." Lieu said the antivirus software on the server was not updated "due to human error related to the configuration of the software." Added Lieu, "We value our members and take protecting the privacy and security of their information very seriously. We apologize that this unfortunate incident occurred." According to data from the Department of Health and Human Services, this is the fourth large HIPAA breach for Kaiser Permanente, which includes Kaiser Foundation Health Plan, Kaiser Foundation Hospitals -- consisting of 32 hospitals -- and Permanente Medical Group. Last November, in its second reported fall data breach last year, KP notified 49,000 of its Anaheim Medical Center patients that their protected health information had been compromised after an unencrypted USB drive containing their data went missing. Back in September, some 670 patients received breach notification letters after an emailed attachment containing the protected health information of patients was sent to a recipient outside the Kaiser network. According to KP officials, the attachment was accidentally emailed by a Kaiser employee to a member of a pilot wellness screening competition back in May. [See also: Advocate Health slapped with lawsuit after massive data breach.] The third incident occurred at KP's Medical Care Program back in 2009 when an unencrypted portable drive was stolen from an employee's car, compromising the health data of some 15,500 patients. Theft accounts for the lion's share of HIPAA privacy and security breaches, as HHS' Office for Civil Rights Deputy Director for health information privacy Susan McAndrew pointed out at HIMSS14, representing some 48 percent of all breaches reported. "Pay attention to encryption," said McAndrew, particularly for any devices that can leave the office. "We're interested in protecting the data. You may be interested in protecting the property. We want to turn this into property losses as opposed to data losses." To date, more than 30.6 million individuals have had their PHI compromised in a large HIPAA privacy or security breach -- breaches involving more than 500 people -- according to data from the Department of Health and Human Services.
HIPAA-covered entities and, now, business associates, have handed over some $18.6 million to settle alleged federal HIPAA violations, with $3.7 million of that just from last year. And this isn't counting the state and private legal settlements.
Topics: Privacy and Security, Kaiser Permanente, Electronic Health Record (EHR), Healthcare Information and Management Systems Society (HIMSS)