Kaiser Permanente Northern California Department of Research is notifying patients of a breach that they believe occurred in October 2011.
OK, now that I have your attention, on or about April 3, they will begin sending out breach notification letters that say that on February 12, 2014, they discovered that a server used to store research data had been infected with malware.
Research participant information included first and last name, date of birth, age, and gender. It may also have included address, race/ethnicity, medical record number, lab results associated with the research study the patient participated in, and responses the patients provided to research-related questions, depending upon the research study. Social Security Numbers (SSN) were not included in the data. Nor were Kaiser Permanente electronic medical records.
KP says they currently have no information that any unauthorized person accessed the information on the server.
Once the incident was recognized, KP immediately removed the server and confirmed that other servers were unaffected and appropriately protected. They report that they have alerted the appropriate State and federal authorities, and are continuing to take appropriate steps to reduce the chance of future incidents like this.
You can read the template of their notification letter here (pdf).