The prominent US non-profit organisation Kaiser Permanente, which specialises in providing health care products and services, recently disclosed that it has suffered a data breach. The extensive leak involved the exposure of private health information belonging to nearly 70,000 different data subjects.

Kaiser Permanente was originally founded in 1945, and currently provides a substantial range of healthcare services to its membership across multiple US states, including Washington D.C, that now exceeds 12.5 million individuals.

Disclosure of sensitive information exposed

The not-for-profit healthcare organisation revealed the breach in an official notice published on its dedicated website. Kaiser Permanente stated in early April that an attacker had successfully and accessed the email account of one of its employees without correct authorisation. Unfortunately, the email account contained protected health information (PHI) belonging to patients using its services.

The Healthcare provider’s breach notice commented:

“This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorised access incident on April 5, 2022. The specifics of the unauthorized access were provided to individuals affected in a letter sent by Kaiser Permanente on June 3, 2022.”

The sensitive data exposed during the April attack included the first and last names of patients, dates of service, medical record numbers and detailed results from laboratory tests. However, Kaiser Permanente maintains that during the breach, no credit card details or Social Security numbers were ever exposed.

Additionally, the organisation also commented that the security incident impacted only patients based in Washington who had procured a Kaiser Foundation Health Plan.

Rapid action taken to block the breach

Kaiser Permanente has informed those potentially impacted by the attack that it managed to sever access to the email account within hours of detection. As soon as the organisation terminated the threat operator’s access, it immediately opened an investigation into the incident and started to assess its possible impact.

The healthcare service provider commented on the actions it took following detection to remediate the situation:

“After discovering the event, we quickly took steps to terminate the unauthorised party’s access to the employee’s emails. This included resetting the employee’s password for the email account where unauthorised activity was detected.”

It added that the employee whose account was breached also received further training on secure email practices and that Kaiser Permanente was exploring new measures it can adopt to make certain that such incidents cannot occur again in the future.

Kaiser Permanente noted that it found no evidence to support concerns that the PHI stored in the compromised email account was misused or stolen following the incident, but commented that it could not rule out such a possibility entirely.

While the healthcare organisation did not state the precise number of patients that were impacted in its breach notice, statements filed with the Department of Health and Human Services for Civil Rights indicate that the incident has resulted in the exposure of PHI belonging to 69,589 patients.