Malware had been on Kaiser’s server for two years
DataBreachToday reports Kaiser Permanente’s recent discovery of malware on a server storing health data used for research has prompted the integrated managed care consortium to notify 5,100 patients about a potential privacy breach. In the letter, Kaiser Permanente Northern California Division of Research notified patients that malicious software was discovered on the server in February, and the malware is suspected to have been introduced in October 2011, leaving patient data vulnerable for over two years.
That patient data includes name, date of birth, age and gender, and possibly address, race/ethnicity, medical record number, lab results associated with research, and responses individuals provided to research-related questions, depending upon the research study, Kaiser says. The company maintains that neither Social Security numbers, nor data contained in Kaiser Permanente’s electronic health records, were exposed.
A Kaiser Permanente spokeswoman told DataBreachToday, “Our investigation has found no evidence to date that the information on the server or connected to the server was ever actually opened, copied, or used by any unauthorized persons. We have no information that any unauthorized person accessed the information on the server. We are continuing to monitor the situation. Protecting our members’ information is a responsibility we take very seriously.”
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
She continued, stating that anti-virus software on the affected server had not been updated “due to human error related to the configuration of the software. We immediately removed the server after identifying the infection and confirmed that the infection was limited to this one compromised server. The compromised server was the only server at the Division of Research that did not have the proper anti-virus software updates,” she asserted. “We have taken corrective actions to update and strengthen our electronic security measures and protocols to help prevent a situation like this from happening again.”
It was not clear specifically how the malware was discovered, but according to the spokeswoman, the organization “employs a series of electronic security measures, including regular third-party security scans. We have confirmed that the infection was limited to this one compromised server, and that all other DOR servers were and are appropriately protected with anti-virus security,” she says.
The new breach soon will be listed on the HHS Office for Civil Rights’ website of major security breaches affecting 500 or more individuals, and will be Kaiser’s fourth posting on the site.
In late 2013, a missing flash drive from the nuclear medicine department at Anaheim Medical Center resulted in notifications sent to about 49,000 patients. Also in 2013, Kaiser notified 647 patients after learning of unauthorized access/disclosure of the EHR. In late 2009, the organization notified about 15,500 patients following the theft of an electronic portal device.
Date: April 11, 2014