On November 1, 2024, Kaiser Permanente notified patients of a recent data breach affecting over 40,000 patients. Threat actors gained access to the organization through employee email accounts.
On September 3, Kaiser Permanente in Oakland, California, discovered that an unauthorized individual had accessed the email accounts of two employees. In response, the health system immediately terminated access to these accounts and launched an investigation to understand the full scope of the incident.
The investigation revealed that the compromised accounts contained protected health information (PHI) like names and dates of birth. The OCR wall of shame revealed that it impacted 44,600 individuals, which Kaiser claims there is no current evidence of misuse.
On their website, Kaiser provided the following related to the breach, “Upon learning of the incident, we terminated the unauthorized access and immediately began an investigation to determine the scope of the access. After validating the email contents, we determined that some patients’ protected health information was involved.”
The attack against Kaiser was caused by a vulnerability in email systems. Despite a quick response to the breach itself, preventative measures are far better in ensuring the long-term protection of PHI. The use of HIPAA compliant email platforms like Paubox provides the necessary security organizations like Kaiser need to gain back patient trust.
Related: Top 12 HIPAA compliant email services
Common methods of compromise include phishing, weak passwords, and exploiting software vulnerabilities.
A security risk that comes from within the organization like an employee misusing access to company information.
It is necessary to inform the affected individuals about the potential exposure of their personal information.