Kaiser Permanente Notifying Members That Some Patient Information Posted Online

Oakland-based Kaiser Permanente is notifying 140 patients in Northern California that a former employee has posted medical record numbers, patient names and information about some routine lab tests on her blog, the San Jose Mercury News reports. Test results were not posted.

Kaiser spokesperson Matthew Schiffgens said that Kaiser in January launched an investigation after being informed of the security breach by the HHS Office of Civil Rights, the agency charged with enforcing the medical privacy rule of the Health Insurance Portability and Accountability Act. In addition, Kaiser on Wednesday asked the Internet service provider hosting the blog to remove the data, Schiffgens said.

The former employee, who calls herself the "Diva of Disgruntled," said that the company posted the patient information on an unsecured technical Web site and that Kaiser took the Web site down only after she directed company officials to it. The former employee said she reposted the information to another site to illustrate how easy it was for someone to access the information, which she said had been on the Internet for a year. The former employee said she also filed a complaint with OCR.

Schiffgens said Kaiser has been unable to confirm the former employee's claims that the company had posted private patient data on an unsecured Web site, but he said the woman breached her obligation to protect member confidentiality by posting the information herself. Schiffgens said Kaiser might take legal action against the former employee.

Under HIPAA medical privacy rules, if convicted, the former employee could face fines of as much as $250,000 and 10 years in prison for unlawfully disclosing patient data (Feder Ostrov, San Jose Mercury News, 3/11).