140 Kaiser patients' private data put online

March 11, 2005

By Barbara Feder Ostrov


In a troubling episode involving medical privacy in the digital age, Kaiser Permanente is notifying 140 patients that a disgruntled former employee posted confidential information about them on her Weblog.

The woman, who calls herself the ``Diva of Disgruntled,'' claims it was Kaiser Permanente that included private patient information on systems diagrams posted on the Web, and that she pointed it out.

The health care giant learned of the breach from the federal Office of Civil Rights in January, said Kaiser spokesman Matthew Schiffgens. Kaiser has been investigating ever since, Schiffgens said, but it wasn't until Wednesday that it asked the Internet service provider hosting the blog to remove the information.

Kaiser has not been able to verify the woman's claims that it was responsible for posting private patient information, said Schiffgens.

``If we had a role in making that available, we have a right to be criticized for that,'' Schiffgens said. ``Regardless of how it happened, her initial postings are clearly a breach of her obligation to protect member confidentiality.''

The woman, who identified herself only as "Elisa," told the Mercury News Kaiser posted patient information on an unsecured technical Web site and that she called attention to it before Kaiser took the site down. She also said that she reposted the information on another site to make the point that anyone could have gained access to this information, since it had been widely available on the Web for a year.

She said she also filed a complaint with the federal Office of Civil Rights about the security breach.

The information includes medical record numbers, patient names and in some cases information about, but not results of, routine lab tests. The former employee apparently reposted the information Thursday, but it was again removed, Schiffgens said.

Kaiser contacted or left messages with 90 of the 140 members Thursday to alert them to the security breach, and hopes to reach the remaining members today. The patients were dispersed throughout Northern California, Schiffgens said.

``We apologize regarding this unlawful disclosure,'' he said. ``We take our members' confidential and personal information very seriously.''

Schiffgens said the woman was a low-level Web designer who worked for the Kaiser Permanente Medical Group in Oakland. She was terminated in June 2003, but Schiffgens would not say why or release her name.

Kaiser will take legal action against the woman if warranted, Schiffgens said. Under federal health privacy rules known as HIPAA, the woman could face up to $250,000 in fines and 10 years in prison for unauthorized disclosure of patient information.

main page ATTRITION feedback