Kaiser Permanente personnel files found after arrest
Technorati Tag: Security Breach
Date Reported:
2/6/09
Organization:
Kaiser Permanente
Contractor/Consultant/Branch:
None
Location:
Sacramento, California
Victims:
Employees
Number Affected:
"nearly 30,000"
Types of Data:
Personal information, including "names, social security numbers and birthdates"
Breach Description:
"SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday."
Reference URL:
CBS13/CW 31 News
The Mercury News
MSNBC
Report Credit:
CBS13/CW31 News
Response:
From the online sources cited above:
SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday.
[Evan] The obvious question is how did this person come into possession of the sensitive information?
Some employees told KCRA 3 that they received an automated voicemail message from Atlanta, Ga., about the information breach.
Kaiser set up a toll-free number for workers to get answers to their questions at 1-.
[Evan] When you call, you get a recorded message.
The information included employee names, social security numbers and birthdates.
The person who took the computer file was not a Kaiser employee, the company said, and that the file was found in their possession after being put under arrest.
[Evan] What was this mystery person arrested for in the first place?
"We immediately launched an internal investigation and are working to determine the source of this breach, and we are working closely with law enforcement in their investigation," representative Gerri Ginsburg said in a statement.
"To our knowledge, only a handful of employees have reported identity theft."
[Evan] This is troubling because we know that some of the information was actually used to commit fraud.
Kaiser said no patient information or health files were involved.
Ginsburg said the file appears to contain Human Resources-type data, and that Kaiser Permanente member information and personal health information was not included on the file.
We regret that this unfortunate incident occurred," said Gay Westfall, Senior Vice President Human Resources, Kaiser Foundation Health Plan/Hospitals, Northern California.
Kaiser says it is notifying affected employees in three ways: by automated phone call, by letter to their home and by email at their work email address if they have one.
Kaiser is also offering to pay for a year of credit monitoring for the employees.
Commentary:
There are many questions remaining that should be answered in the coming weeks or months. If I were to guess, I would guess that the breach source is (or was) an insider, but this is only a guess.
Past Breaches:
Unknown
Date Reported:2/6/09
Organization:
Kaiser Permanente
Contractor/Consultant/Branch:
None
Location:
Sacramento, California
Victims:
Employees
Number Affected:
"nearly 30,000"
Types of Data:
Personal information, including "names, social security numbers and birthdates"
Breach Description:
"SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday."
Reference URL:
CBS13/CW 31 News
The Mercury News
MSNBC
Report Credit:
CBS13/CW31 News
Response:
From the online sources cited above:
SACRAMENTO, Calif. - Personal information from about 29,500 employees of Kaiser Permanente might have been stolen by someone who took a computer file, the company said Friday.
[Evan] The obvious question is how did this person come into possession of the sensitive information?
Some employees told KCRA 3 that they received an automated voicemail message from Atlanta, Ga., about the information breach.
Kaiser set up a toll-free number for workers to get answers to their questions at 1-.
[Evan] When you call, you get a recorded message.
The information included employee names, social security numbers and birthdates.
The person who took the computer file was not a Kaiser employee, the company said, and that the file was found in their possession after being put under arrest.
[Evan] What was this mystery person arrested for in the first place?
"We immediately launched an internal investigation and are working to determine the source of this breach, and we are working closely with law enforcement in their investigation," representative Gerri Ginsburg said in a statement.
"To our knowledge, only a handful of employees have reported identity theft."
[Evan] This is troubling because we know that some of the information was actually used to commit fraud.
Kaiser said no patient information or health files were involved.
Ginsburg said the file appears to contain Human Resources-type data, and that Kaiser Permanente member information and personal health information was not included on the file.
We regret that this unfortunate incident occurred," said Gay Westfall, Senior Vice President Human Resources, Kaiser Foundation Health Plan/Hospitals, Northern California.
Kaiser says it is notifying affected employees in three ways: by automated phone call, by letter to their home and by email at their work email address if they have one.
Kaiser is also offering to pay for a year of credit monitoring for the employees.
Commentary:
There are many questions remaining that should be answered in the coming weeks or months. If I were to guess, I would guess that the breach source is (or was) an insider, but this is only a guess.
Past Breaches:
Unknown
Posts Atom 1.0
Past breaches: 6 that I know of:
August 2008: In August, Kaiser Foundation Health Plan of Mid-Atlantic States disclosed that an employee had stolen and misused patient information from patients at the Kaiser Permanente Falls Church Medical Center. They notified 5,200 members in that breach.
Feb. 2007: doctor's laptop with patient info stolen from a medical center. 22,000 notified.
Nov. 2006: laptop with member/patient info stolen from an employee. 38,000 notified.
July 2006: laptop with patient/member data on it stolen from an employee. 160,000 notified.
Jan. 2006: 2 employees of a contractor arrested and charged with misusing patient info for fraud. 25,000 notified.
June 2005: Kaiser fined $200,000 for exposing patient data on web for what could have been four years.
And this would be the same company that testified to Congress not to make privacy safeguards too stringent as it would inhibit development of HIT, etc.?
Cheers,
/Dissent
Reply to this
You're showing info on the Purdue breach in the Kaiser "victims" section.
Reply to this
Thank you!
Reply to this