A hacked Kaiser Permanente employee's emails led to breach of 70,000 patient records

Kaiser Permanente, the largest nonprofit health plan provider in the United States, has disclosed a data breach that exposed the sensitive health information of almost 70,000 patients.

In a notice to patients on June 3, Kaiser revealed that someone gained access to an employee's emails at the Kaiser Foundation Health Plan of Washington on April 5 that contained protected health information — including patient names, dates of service, medical record numbers and lab test result information. Financially sensitive information, including social security and credit card numbers, was not exposed by the breach, according to the healthcare provider.

Although the company didn’t reveal the scale of the breach, a separate filing with the U.S. Department of Health and Human Services confirmed that 69,589 individuals were affected.

“We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident,” Kaiser said in its notice to patients. “We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.”

TechCrunch asked Kaiser how an unauthorized third party was able to gain access to the employees’ emails but the company would not comment by press time. However, it said in its notice that the hacked employee “received additional training in safe email practices,” suggesting the breach may have been the result of either credential stuffing or phishing. Kaiser added that it is “exploring other steps we can take to ensure incidents like this do not happen in the future," but the company would not say what these steps were.

It is also unclear why it took Kaiser almost two months to inform patients affected by the breach.

Kaiser Permanente is the latest in a long line of healthcare providers to be targeted by hackers. Health insurance giant Anthem revealed the theft of 78.8 million records in 2015. More recently, myNurse, a healthcare startup that provides chronic care management and remote patient monitoring services, suffered a data breach in March that saw a malicious third party access protected health data, including patients’ demographic, health and financial information. On May 2, the startup announced it was shutting down.