DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Kaiser Permanente notifies employees after e-mail error exposes their SSN to unauthorized individual

Posted on November 5, 2012 by Dissent

On October 29, Kaiser Permanente began notifying employees of a breach that occurred August 24th when their names, Social Security numbers, and other information were mistakenly e-mailed to an individual not authorized to receive such information. From their letter:

[First Name] [Last Name] [Street Address] [City], [State], [ZIP code]

Dear [First Name],

We are writing to let you know of an incident involving the unauthorized transmission of confidential employee information, including some information belonging to you. We take privacy very seriously and we sincerely apologize that this happened. As a result of our investigation, we believe it is highly unlikely that your information has been, or will be used for unlawful purposes. This notification is in compliance with California law, which requires notifying all former and current employees when there is a release of certain confidential information.

On August 24, 2012, an employee in Kaiser Permanente’s Northern California Region Recruitment department mistakenly emailed a list of former Northern California KP employees who left the organization between 1990 and 2006 to a person not authorized to receive the information. Some of these NCAL former employees have since returned to KP in various regions. This list contained, among other information, your name and Social Security number. No personal health information was involved.

The unintended recipient who received the information has been extremely cooperative. Kaiser Permanente’s IT Security conducted a detailed analysis to confirm that the recipient effectively deleted the information and that the information had not been further emailed or printed. As a result of our investigation, we believe it is highly unlikely that your information has been, or will be used for unlawful purposes.

We also wish to reassure you that this incident involved your employment information with Kaiser Permanente only and that none of your personal health information as a member of Kaiser Foundation Health Plan was involved.

This situation was brought to our attention in late August, 2012, and we immediately took steps to investigate and secure the information that was inadvertently transmitted. We have since put in place new controls to secure this type of employee information and prevent this from happening again.

We understand your concerns about the privacy of your personal information. Again, we apologize that this unfortunate incident occurred. We have established the following phone number for you to call if you have questions or concerns: 866-578-5413. Thank you.

 

Category: Breach IncidentsExposureHealth DataU.S.

Post navigation

← Salinas Valley State Prison staff notified of intranet breach
Student privacy breached in Delta School District →

6 thoughts on “Kaiser Permanente notifies employees after e-mail error exposes their SSN to unauthorized individual”

  1. dj g says:
    November 5, 2012 at 2:17 pm

    I called the number and at first they didn’t even know what I was talking about. This third party supposedly handling things for Kaiser had less information than I got in the above letter. I spent all morning getting through only to be given exactly nothing. I called directly to the hr person whose signature is on the email.

  2. Jude says:
    November 10, 2012 at 7:34 pm

    Has the personal information of anyone on the list been used by an unauthorized person?

    1. admin says:
      November 10, 2012 at 8:29 pm

      You’d have to ask them. Their number for this breach is 866-578-5413. From the description of the incident, it seems unlikely.

  3. Don Moffett says:
    November 27, 2012 at 1:08 pm

    Two comments;

    First the letter does not explain to the victims what information was disclosed about them and if any of the information disclosed included HIPPA data. So the victims of this mishandling of information have no way to determine the extent of personal damage this may cause now or in the future. It is not appropriate for Kaiser decide if there is damage or not. Victims need to step up and be heard and not let companies make these decisions for them.

    Secondly, why is Kaiser holding onto former employee data for 6 – 11 years, and just how long does Kaiser keep records on former employees and for what purposes? It is reasonable to keep data for statutory or benefit purposes, but how long is enough. So the questions of when to keep data and how long is appropriate are valid consumer, and possibly legal questions.

    1. admin says:
      November 27, 2012 at 1:19 pm

      The letter specifically states no health information was involved, but yes, they should have been more detailed about what types of data were involved. That said, saying that SSN were involved should get people concerned enough to take steps to protect themselves as a first response.

      1. Don Moffett says:
        November 27, 2012 at 11:11 pm

        The term health information is ambiguous as opposed HIPAA which identifies specific information which requires protection. I would expect a healthcare organization to be more specific and not give themselves shades of gray. Sorry I was not clear in my distinction between health information an HIPAA information.

Comments are closed.

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mysterious leaker GangExposed outs Conti kingpins in massive ransomware data dump
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • Class action settlement following ransomware attack will cost Fred Hutchinson Cancer Center about $52 million
  • Comstar LLC agrees to corrective action plan and fine to settle HHS OCR charges
  • Australian ransomware victims now must tell the government if they pay up
  • U.S. Sanctions Cloud Provider ‘Funnull’ as Top Source of ‘Pig Butchering’ Scams
  • Victoria’s Secret takes down website after security incident
  • U.S. Government Employee Arrested for Attempting to Provide Classified Information to Foreign Government
  • St. Cloud Provides Update on Ransomware Attack in 2024
  • Bradford Health Systems detected abnormal network activity in December 2023. They first sent out breach notices this week.

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.
  • Why AI May Be Listening In on Your Next Doctor’s Appointment
  • Watch out for activist judges trying to deprive us of our rights to safe reproductive healthcare
  • Nebraska Bans Minor Social Media Accounts Without Parental Consent
  • Trump Taps Palantir to Compile Data on Americans
  • The US Is Storing Migrant Children’s DNA in a Criminal Database

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.