Kaiser Plan Reaches Breach SettlementAttorney General Cited Concerns About 2011 Incident Response
Kaiser Foundation Health Plan has reached a settlement with the California Attorney General's office related to a 2011 breach that compromised personal data of about 30,000 of the plan's employees.
Attorney General Kamala Harris had issued a complaint alleging that Kaiser failed to promptly notify individuals about a security breach, as required under state law. The unusual breach involved the purchase by a customer at a thrift store of a used unencrypted external hard drive containing information on about 30,000 Kaiser plan employees.
A Kaiser spokeswoman says the company "could not confirm how the external hard drive ended up in the thrift store, because we did not own the device. However, we believe [Kaiser] information was inappropriately transferred to a personal device in the course of performing work, and that this device was later donated before the information was securely removed," she says. Kaiser was able to secure custody of the drive and performed a forensic evaluation.
Information contained on the hard drive included employee names, Social Security numbers, dates of birth and addresses, in addition to unencrypted personal information of some employees' spouses and children.
In the settlement, Kaiser agrees to make more prompt notification of future breaches and to take several other steps to improve its data security practices. It also agrees to pay a small financial penalty and legal fees.
The Kaiser health plan has agreed to take "appropriate actions to resolve [the attorney general's] concerns and continue to protect our employees' information," Kaiser says in a statement issued to Information Security Media Group. That includes ramped-up compliance training of employees.
Settlement documents provided to Information Security Media Group by the attorney general's office specify that Kaiser has agreed to provide notification for future breaches involving current or former employees personal data on a "rolling basis." That means Kaiser will begin providing breach notification as reasonably possible after identifying a portion of the total individuals affected by a breach, even if Kaiser's breach investigation is ongoing, and continue to notify individuals as soon as they are identified until Kaiser's breach investigation is completed.
Settlement documents also indicate that Kaiser has agreed to review and improve where "necessary and feasible" its policies regarding encryption of e-mail that contains sensitive employment-related personal information. Also, Kaiser agrees to provide to the attorney general the results of an internal audit regarding the extent of employee access to sensitive employment-related personal information. Those actions must be implemented within 120 days after entry of the judgment, which was dated Jan. 24.
Kaiser also agreed to pay a $30,000 penalty to the state and also $120,000 to pay for legal fees and the cost of the prosecution and investigation.
In its statement, Kaiser says its actions as a result of the settlement "will strengthen [its] already stringent privacy and security processes." The company says all desktop and laptop computers managed by its IT department are encrypted.
The company notes that in 2011, after the breach, it also implemented "additional security safeguards to protect confidential information transferred onto an external device from its IT-managed computers." Software on Kaiser's IT-managed desktop and laptop computers "automatically encrypts any file that is transferred onto a USB/external device, and concurrently creates a password required for any future access to the transferred file," says the company. "We will continue to take appropriate steps to protect the information entrusted to us."
The settlement comes after a formal complaint that the attorney general filed against Kaiser Foundation Health Plan for failing to disclose in a timely manner a breach that affected more than 30,000 current and former employees and for exposing Social Security numbers in the breach.
As a "legal formality," the attorney general filed both the complaint and settlement documents in court on Jan. 24, 2014, a Kaiser spokesman says. However, the attorney general and Kaiser had been in discussions over the case since about March 2012, he says.
The health insurer learned on or about Sept. 24, 2011, that an external hard drive containing unencrypted personal information on the employees had been purchased by a customer at a thrift store in Santa Cruz, Calif., the state's complaint says.
The AG's complaint contends Kaiser waited six months after its initial discovery of the breach to notify affected individuals. The attorney general alleges that "as early as December 2011" Kaiser could have begun notifying individuals it identified as being affected by the breach after Kaiser secured custody of the hard drive and completed initial forensic testing of the device.
The complaint alleges that Kaiser, by waiting until March 2012 to contact breach victims, violated California law, which requires issuing breach notification "in the most expedient time possible and without reasonable delay."
Impact of Case
In a blog about the case, privacy and security attorney David Navetta of the law firm Information Law Group notes, "While California's law does not explicitly define 'most expedient time possible and without unreasonable delay', California's Office of Privacy Protection recommends that notice be provided within 10 business days of an organization's determination that personal information was, or is reasonably believed to have been, acquired by an unauthorized person."
Navetta writes, "If the saying is true, 'as California goes so goes the nation,' this case could impact how other state regulators view the timing requirements under their breach notification laws."
In other recent breach-related legal action in the healthcare arena, Horizon Blue Cross Blue Shield of New Jersey faces a class action lawsuit that alleges it failed to properly secure sensitive data and violated the Fair Credit Reporting Act and the New Jersey Consumer Fraud Act. That case is tied to a breach late last year involving the theft of two unencrypted laptop computers that affected nearly 840,000 of its members.
Navetta says that healthcare data breach cases like those involving Kaiser and Horizon are putting a spotlight not only on the urgency and importance of protecting patient data, and responding to breaches, but also on the need for cyber-insurance.
(News writer Jeffrey Roman contributed to this story.)