Kaiser Permanente data breach: data about 70 thousand people exposed

Medical and personal data of people exposed in the data breach that happened in April

The company revealed that the attacker accessed email account of an employee and managed to get to PHI of 70k patients

Kaiser Permanente suffered a data breach when attackers gained access to private account details via the email compromise incident. The compromise happened on April 5th and the medical records of 70 000 patients got exposed as a result.^[1] The health care provider company has not disclosed the exact numbers of affected patients, but the filing with the United States Department of Health and Human Services Office for Civil Rights shows that 69,589 individuals got their protected health information exposed due to the data breach incident.

America's leading nonprofit health plan and health care provider disclosed the breach, and the company revealed this incident that affected more than 69k individuals earlier this month.^[2]

This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorized access incident on April 5, 2022

The company has been known since 1945 and is a healthcare services provider to more than 12 million members from 8 U.S states and Washington, D.C. The company published a notice in which it was addressed that the attacker accessed an email account of the employee that contained patients' protected health information. It was done without requiring authorization. A particular incident was disclosed with affected individuals on June 3rd.

Personally identifiable and sensitive data exposed

The organization stated that the unauthorized attacker accessed details on individual patients, but Social Security numbers and credit card details or other financial information were not exposed during the breach.^[3] However, the security incident that affected patients of the Kaiser Foundation Health Plan of Washington revealed personal details about them:

• First and last names;
• Medical record numbers;
• Dates of service;
• Laboratory test results and health information.

The attacker managed to maintain access to the data for a few hours, and after that Kaiser terminated the malicious activities. From there, the company moved on to commence a cyber security incident investigation to determine the scope of the attack and data breach.

Quick response to the incident

Kaiser Permanents managed to terminate the attackers' access to the email account and the system within hours of the initial alert. The investigation started to assess the damage of the possible breach. Such incidents can create major consequences when it comes to personal data or even credit card details.^[4]

A particular account password needed to be changed, so the activity could not repeat. It was the issue of an insecure email and malicious link or the remote access trojan^[5] malware or a similar cyber threat that allowed the attacker to get on the email account or even the system. This is why the employee and potentially other workers got their training on safe email practices, and the company plans to ensure that incidents like this cannot happen in the future.

There are no particular indicators that the accessed information on patients got stolen, exfiltrated, or abused after the initial attack. However, there is no evidence that this could not happen. There is still a possibility that attackers stole these details and can use the personal information to target people in additional campaigns later on.