On October 29, Kaiser Permanente began notifying employees of a breach that occurred August 24th when their names, Social Security numbers, and other information were mistakenly e-mailed to an individual not authorized to receive such information. From their letter:
[First Name] [Last Name] [Street Address] [City], [State], [ZIP code]
Dear [First Name],
We are writing to let you know of an incident involving the unauthorized transmission of confidential employee information, including some information belonging to you. We take privacy very seriously and we sincerely apologize that this happened. As a result of our investigation, we believe it is highly unlikely that your information has been, or will be used for unlawful purposes. This notification is in compliance with California law, which requires notifying all former and current employees when there is a release of certain confidential information.
On August 24, 2012, an employee in Kaiser Permanente’s Northern California Region Recruitment department mistakenly emailed a list of former Northern California KP employees who left the organization between 1990 and 2006 to a person not authorized to receive the information. Some of these NCAL former employees have since returned to KP in various regions. This list contained, among other information, your name and Social Security number. No personal health information was involved.
The unintended recipient who received the information has been extremely cooperative. Kaiser Permanente’s IT Security conducted a detailed analysis to confirm that the recipient effectively deleted the information and that the information had not been further emailed or printed. As a result of our investigation, we believe it is highly unlikely that your information has been, or will be used for unlawful purposes.
We also wish to reassure you that this incident involved your employment information with Kaiser Permanente only and that none of your personal health information as a member of Kaiser Foundation Health Plan was involved.
This situation was brought to our attention in late August, 2012, and we immediately took steps to investigate and secure the information that was inadvertently transmitted. We have since put in place new controls to secure this type of employee information and prevent this from happening again.
We understand your concerns about the privacy of your personal information. Again, we apologize that this unfortunate incident occurred. We have established the following phone number for you to call if you have questions or concerns: 866-578-5413. Thank you.
I called the number and at first they didn’t even know what I was talking about. This third party supposedly handling things for Kaiser had less information than I got in the above letter. I spent all morning getting through only to be given exactly nothing. I called directly to the hr person whose signature is on the email.
Has the personal information of anyone on the list been used by an unauthorized person?
You’d have to ask them. Their number for this breach is 866-578-5413. From the description of the incident, it seems unlikely.
Two comments;
First the letter does not explain to the victims what information was disclosed about them and if any of the information disclosed included HIPPA data. So the victims of this mishandling of information have no way to determine the extent of personal damage this may cause now or in the future. It is not appropriate for Kaiser decide if there is damage or not. Victims need to step up and be heard and not let companies make these decisions for them.
Secondly, why is Kaiser holding onto former employee data for 6 – 11 years, and just how long does Kaiser keep records on former employees and for what purposes? It is reasonable to keep data for statutory or benefit purposes, but how long is enough. So the questions of when to keep data and how long is appropriate are valid consumer, and possibly legal questions.
The letter specifically states no health information was involved, but yes, they should have been more detailed about what types of data were involved. That said, saying that SSN were involved should get people concerned enough to take steps to protect themselves as a first response.
The term health information is ambiguous as opposed HIPAA which identifies specific information which requires protection. I would expect a healthcare organization to be more specific and not give themselves shades of gray. Sorry I was not clear in my distinction between health information an HIPAA information.