Attack on Kaiser Permanente Exposes Data on 70,000 Customers

A leading US healthcare provider has warned that as many as 70,000 individuals may have had sensitive personally identifiable information (PII) stolen by a malicious third party.

Kaiser Permanente employs over 300,000 staff to deliver healthcare and not-for-profit health plans across the country.

However, a data breach notice sent to customers earlier this month claimed to have discovered an unauthorized access incident on April 5.

“We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident. We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility,” it continued.

“The protected health information potentially exposed included first and last name, medical record number, dates of service, and laboratory test result information. Sensitive information such as Social Security numbers and credit card numbers were not included in the information.”

The healthcare provider said it reset the affected employee’s password and provided them with additional training to mitigate the risk of such an incident happening again.

Although the firm didn’t reveal in its letter the scale of the breach, a separate filing with the US Department of Health and Human Services noted that 69,589 individuals were affected.

Erfan Shadabi, a cybersecurity expert at security vendor comforte AG, argued that sensitive data should be protected as soon as it enters the organization.

“You can try to plug every single access point, but threat actors are always looking for the one simple flaw that will gain them access to your sensitive enterprise data,” he added.

“Data is always the target, and only more data-centric security measures, such as tokenization and format-preserving encryption, can thwart the bad actors’ attempts to steal sensitive information to use for their nefarious purposes and personal gain.”

What’s Hot on Infosecurity Magazine?