According to a number of sources, including datalossdb.org and databreaches.net, a hard drive with information on Kaiser Permanente employees was found at a second-hand store in California. Obviously, the use of data encryption software like AlertBoot would have prevented this breach.
Because the information belonged to an HMO, you might be under the impression that this is a HIPAA data breach. It’s not. Perhaps that’s why it took nearly 6 months to notify the affected.
Original Story Doesn’t Show Up Anymore
The original story that everyone is referencing can’t be found anymore, at least at the time of this post. I tried following the link and it gives me a 404 error notice. Thankfully, I found a Google cache of the story, reproduced here:
Wednesday, current and former employees of Kaiser Permanente started receiving letters in the mail telling them their personal information was found in a second hand store in California.
A former employee who called KXL to talk about the letter said it is very concerning, “It’s like a little gold mine of information that’s out there now.”
Maryann Schwab with Kaiser Permanente says names, phone numbers, social security numbers and other personal information was found on a non-Kaiser external hard drive in September of 2011. The person that bought the hard drive called Kaiser and is (sic) gave the hard dive (sic) up to police. “The information on the hard drive was downloaded to it in 2009” said Schwab, “since then KP has taken steps to bolster the fire wall for sensitive data.”
Further details such as how many people were affected were apparently not shared.
The story brings up a number of questions. First, what does a firewall have to do with anything? Couldn’t the data have been copied by, say, connecting an external disk drive to KPs computers, be it the drive above, or something even more portable (such as a USB key drive) and subsequently transferring the data to the hard drive?
Or, it could be a case where sensitive data is shared between KP and third-parties, as is the case for most companies that outsource jobs to vendors. For example, seeing how it’s employee information that was breached, perhaps the drive belongs to a firm that concentrates on resolving or optimizing employee insurance matters. A firewall would mean nothing in this case since data is being sent outside on purpose.
Second, where did this hard drive come from? Was it sold by the original owner of the drive? Was it stolen from someone that was authorized to have the data? If the latter, why didn’t they use external computer disk encryption to secure the data? It would remiss to authorize someone to have data on a portable drive and not securing it properly.
Employee Info Not Covered Under HITECH Notification Rule: Case is Proof That Mandatory Breach Notification Laws Serve a Purpose?
According to databreaches.net, and I know this to be true myself, the HITECH Breach Notification Rule doesn’t cover data breaches that involve employee data at HIPAA covered-entities.
That is, if a hospital’s computer is stolen and it contains patients’ sensitive data, a breach notification letter must be sent within 60 calendar days. However, if the computer next to it is also stolen, and this one only contains employees’ sensitive data, there’s no such requirement to send them a breach notification within the same period.
You might it’s crazy. I think many would agree with you. That includes yours truly. But that’s how things stand in many states. The proffered reason is that the employees would be taken care of by a different set of laws; many states don’t have such laws, or fall short of what HITECH requires.
Without more details, it’s tough to judge what the 6-month delay represents. Did law enforcement ask KP to temporarily abstain from sending notifications, as it could interfere with their investigation? Or does this represent Kaiser taking their time to figure out how the breach took place, what was stolen, etc.?
I can’t argue that, when notifying those whose data was breached, it’s best that as much information is given to them. I certainly would appreciate it over a letter that effectively states “we don’t know how, where, or by whom, but your information was found on a hard drive in some second-hand store in California.” I mean, it’s not particularly helpful.
At the same time, there is something as taking too much time. In fact, when the Department of Health and Human Services asked for feedback regarding their interpretation and implementation of HITECH, there were complaints that 60 calendar days may not afford time to figure out the whys and hows of a data breach.
However, HHS stuck to the 60 days, noting that the point behind breach notification letters is to let patients know of the breach and give them a chance to protect themselves. The longer one takes to notify patients, the greater the chances that they will be notified after being victimized. And what’s the point in that?
Related Articles and Sites: