HHS Investigates Alleged Kaiser Permanente Privacy Breach


According to the Los Angeles Times, the U.S. Department of Health and Human Services (HHS) and the California Department of Public Health are investigating Kaiser Permanente's storage of patient data at Surefile Filing Systems, a small business owned by Stephan and Liza Dean.

"The California Department of Public Health has already determined that Kaiser 'failed to safeguard all patients' medical records' at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract," writes The Los Angeles Times' Chad Terhune. "The couple's document storage firm kept those patient records at a warehouse in Indio that they shared with another man's party rental business and his Ford Mustang until 2010."

"In October 2012, Kaiser sued the Deans in Riverside County Superior Court for allegedly violating their contract by not returning all patient information when Kaiser picked up the paper records two years ago," iHealthBeat reports. "According to the allegations, the Deans put electronic patient data at risk by leaving two computer hard drives in their personal garage with the door open. At one point, Stephan Dean said he was planning to contact patients about the whereabouts of their electronic medical data because he did not believe that Kaiser had taken proper security precautions."

"The Deans contend ... that employees routinely e-mailed them for patient records, providing full names, dates of birth and Social Security numbers and treatment dates to ensure the proper folders were pulled," writes Threatpost's Anne Saita. "Those emails remained on their home computers until about a week ago. Stephen Dean told a reporter only one in 600 of those emails was password-protected."

Beth Givens, director of the Privacy Rights Clearinghouse, told the LA Times, "Kaiser has shown extraordinary recklessness in this situation. Healthcare companies have to make sure their contractors adhere to ironclad security practices."