DMHC fines Kaiser Permanente $200,000 for exposing patient information on the Internet

[editor: On June 20, 2005 the California Department of Managed Health Care (DMHC) issued the following press release announcing the outcome of its investigation into Kaiser Permanente’s unlawful disclosure of confidential patient information on the Internet. Kaiser has clearly been caught, yet is still pursuing its baseless lawsuit against the whistleblower. The DMHC doesn’t even mention, much less apologize for its previous press release and order blaming the whistleblower for the breach.]

Kaiser Foundation Health Plan Fined by State for Exposing Patient Information on Web – Confidential data was contained on publicly viewable site

(Sacramento) – Following through on a public promise in March, the Department of Managed Health Care (DMHC) has completed an investigation and fined Kaiser Foundation Health Plan $200,000 for the unauthorized disclosure of patient health information, available on a potentially accessible Web site for up to four years.

“Patients must be assured that health plans will, at all costs, do everything possible to protect confidential information,” said Cindy Ehnes, director of the DMHC. “As we work on broadening the use of electronic medical records to improve patient care, on both the state and federal levels, health plans must make security of confidential information a top priority.”

The DMHC investigation determined that Kaiser was responsible for the creation of a Web site used as a testing portal by its information technology staff. The site contained confidential patient information such as names, addresses, phone numbers and lab results. It was set up and available for public viewing in 1999 without the prior consent of those affected, in direct violation of state law and the plan’s own privacy policies.

DMHC officials were concerned that Kaiser allowed the site to languish on the Web in an accessible format and did not act to remove it until its existence was brought to the attention of federal civil rights authorities in January 2005. In addition, Kaiser authorities chose not to inform state regulators until after the site had been reported to the media in March. However, Kaiser has since informed all of the approximately 150 members who may have been affected.

“Not only was this a grave security breach, Kaiser did not actively work to protect patients until after they had been caught,” said Ehnes. “We’re imposing this fine because we consider this act to be irresponsible and negligent at the expense of members’ privacy and piece (sic) of mind.”

Under state law, a health plan can be fined if they violate the confidentiality of medical information, without first obtaining the individual’s authorization. In addition to federal Health Insurance Portability and Accountability Act (HIPAA) laws, state law has its own privacy statutes contained in the Civil Code.

Kaiser officials have until June 25 to present any information to dispute the DMHC’s findings or the fine will be imposed, and they have been cooperating throughout the investigation.

The California Department of Managed Health Care is the only stand-alone watchdog agency in the nation, touching the lives of more than 21 million enrollees. The Department has assisted more than 633,000 Californians through its 24-hour Help Center to resolve their HMO problems, educate consumers on health care rights and responsibilities, and work closely with HMO plans to ensure a solvent and stable managed health care system.

Media Reports:

Computer World (6/21) — Kaiser Permanente division fined $200k for patient data breach

East Bay Times (6/21) — Kaiser fined for patient data breach

Los Angeles Times (6/21) — Regulators Fine Kaiser Unit $200,000

Oakland Tribune (6/21) — Kaiser fined for patient-privacy breach

San Francisco Chronicle (6/21) — Kaiser fined $200,000 for posting patient data on Web

The Health Care Blog (6/21) – The Gadfly seems to have caused Kaiser real trouble