On September 21, 2017, Kaiser Permanente Health Plan experienced a data breach reported by the California Office of the Attorney General on October 20, 2017. The incident involved an operational error where personal health information intended for one member was inadvertently mailed to another member. The exposed data included member names and medical record numbers, but no financial information or extensive medical details were compromised. The breach was limited to a misdirection of physical mail, resulting in unauthorized access to basic personal and health identifiers. While the incident did not involve cybercriminal activity, malicious intent, or large-scale data exposure, it still posed a risk of privacy violations for the affected individuals. Kaiser Permanente likely took corrective measures to prevent similar errors in the future, including reviewing mailing protocols and reinforcing data handling procedures. The breach highlights the importance of safeguarding even seemingly low-sensitivity information, as improper disclosure can erode trust and potentially lead to identity-related risks.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-102888
TPRM report: https://www.rankiteo.com/company/kaiser-permanente-healthcare
"id": "kai547091725",
"linkid": "kaiser-permanente-healthcare",
"type": "Breach",
"date": "9/2017",
"severity": "50",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Healthcare',
'location': 'California, USA',
'name': 'Kaiser Permanente Health Plan',
'type': 'Healthcare Provider'}],
'data_breach': {'data_exfiltration': 'No (Physical mailing error)',
'personally_identifiable_information': ['Names',
'Medical record '
'numbers'],
'sensitivity_of_data': 'Moderate (Names and medical record '
'numbers, but no financial or '
'extensive medical data)',
'type_of_data_compromised': ['Personal Health Information '
'(PHI)']},
'date_detected': '2017-09-21',
'date_publicly_disclosed': '2017-10-20',
'description': 'The California Office of the Attorney General reported a data '
'breach involving Kaiser Permanente Health Plan on October 20, '
'2017. The breach occurred on September 21, 2017, and involved '
'the inadvertent mailing of personal health information '
'intended for one member to another member. The incident '
'compromised member names and medical record numbers but did '
'not involve financial data or extensive medical information.',
'impact': {'brand_reputation_impact': 'Potential (Limited scope)',
'data_compromised': ['Member names', 'Medical record numbers'],
'identity_theft_risk': 'Low (No financial or extensive medical '
'data exposed)'},
'investigation_status': 'Reported (No further details provided)',
'motivation': 'Accidental (Human Error)',
'post_incident_analysis': {'root_causes': 'Human error (Inadvertent mailing '
'of PHI to wrong recipient)'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential HIPAA (Health '
'Insurance Portability and '
'Accountability Act)'],
'regulatory_notifications': 'Reported to California '
'Office of the Attorney '
'General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'Kaiser Permanente Health Plan Data Breach (2017)',
'type': 'Data Breach (Unintentional Disclosure)'}