Kaiser Permanente said employee names, phone numbers, social security numbers, and other personal information was found on a non-Kaiser external hard drive in a California second-hand store in September, according to a report by KXL news radio.
The person who bought the hard drive called Kaiser and gave the hard drive to police, according to the report.
"The information on the hard drive was downloaded to it in 2009", Maryann Schwab, a Kaiser Permanente spokeswoman, told the radio station. "Since then, KP has taken steps to bolster the fire wall for sensitive data", she added.
In a blog post, the Office of Inadequate Security noted that because the breach did not involve patient data, it was not subject to California’s five-day notification requirement or the federal Health Information Technology for Economic and Clinical Health (HITECH) 60-day framework.
“A delay in notifying of over five months? That seems unusually long by today’s standards. I expect/hope we’ll see some explanation or statement from KP to explain the delay”, the blog added.