1 min read
Email breach at Kaiser Permanente exposes patient data in Oakland
Kirsten Peremore Nov 8, 2024 6:22:04 AM
On November 1, 2024, Kaiser Permanente notified patients of a recent data breach affecting over 40,000 patients. Threat actors gained access to the organization through employee email accounts.
What happened
On September 3, Kaiser Permanente in Oakland, California, discovered that an unauthorized individual had accessed the email accounts of two employees. In response, the health system immediately terminated access to these accounts and launched an investigation to understand the full scope of the incident.
The investigation revealed that the compromised accounts contained protected health information (PHI) like names and dates of birth. The OCR wall of shame revealed that it impacted 44,600 individuals, which Kaiser claims there is no current evidence of misuse.
What was said
On their website, Kaiser provided the following related to the breach, “Upon learning of the incident, we terminated the unauthorized access and immediately began an investigation to determine the scope of the access. After validating the email contents, we determined that some patients’ protected health information was involved.”
Why it matters
The attack against Kaiser was caused by a vulnerability in email systems. Despite a quick response to the breach itself, preventative measures are far better in ensuring the long-term protection of PHI. The use of HIPAA compliant email platforms like Paubox provides the necessary security organizations like Kaiser need to gain back patient trust.
Related: Top 12 HIPAA compliant email services
FAQs
What are the common methods of compromising email accounts?
Common methods of compromise include phishing, weak passwords, and exploiting software vulnerabilities.
What is an insider threat?
A security risk that comes from within the organization like an employee misusing access to company information.
Why is a notice of security incident necessary after healthcare organizations experience a breach?
It is necessary to inform the affected individuals about the potential exposure of their personal information.