Officials Investigate Kaiser for Potential Patient Privacy Breach

State and federal officials are investigating whether Kaiser Permanente violated patient privacy rules through its work with Sure File Filing Systems, which stored nearly 300,000 paper health records for the company, the Los Angeles Times reports.

Background

According to Kaiser, the small document storage firm -- run by Stephan and Liza Dean -- was hired to organize and move thousands of records when Kaiser acquired the Moreno Valley Community Hospital in 2008.

In August 2008, the Deans moved thousands of files from Moreno Valley to a warehouse in Indio, which they shared with another man's party rental business.

According to emails sent by Kaiser to Sure File, hospital clerks routinely messaged the Deans and asked them to pull records on specific patients.

Stephan Dean said some emails from Kaiser employees contained patients':

• Full names;
• Dates of birth;
• Physicians' names;
• Social Security numbers; and
• Treatment dates.

Until this week, the Deans had such information stored on their home computers, according to the Times.

Stephan Dean said Kaiser showed little concern for the security of patient data involved in the email requests. According to Dean, only one out of more than 600 emails from Kaiser had password protection with encryption.

In October 2012, Kaiser sued the Deans in Riverside County Superior Court for allegedly violating their contract by not returning all patient information when the company reacquired the records two years ago.

According to the allegations, the Deans also put patient data at risk by leaving two computer hard drives in their personal garage with the door open.

At one point, Stephan Dean said he was planning to contact patients about the whereabouts of their medical data because he did not believe that Kaiser had taken proper security precautions.

In response, Kaiser sought a temporary restraining order to block the Deans from disclosing confidential information. A Superior Court judge granted the request until Thursday, when the court will hold another hearing.

Comments from Kaiser, Deans

Kaiser said that it is confident that the patient data in question were never disclosed or accessed inappropriately. It said that its "vendors are contractually required to maintain secure environments for all records, and this includes Sure File."

Stephan Dean said, "We could have sold [Kaiser's] emails to somebody in Nigeria, but Kaiser doesn't care about its patients' information."

Details of Investigation

The California Department of Public Health already has determined that Kaiser "failed to safeguard all patients' medical records" by allowing the Deans to manage certain files for about seven months without a contract.

DPH said it is awaiting more information from Kaiser on its "plan of correction" before assigning any penalties.

According to HHS letters, the agency began investigating Kaiser last year after receiving a complaint from the Deans about the health system's treatment of patient data.

Kaiser officials said the organization has not been contacted by federal officials.