State regulators Monday fined a division of Kaiser Permanente $200,000 for exposing on the Internet the confidential health records of about 150 patients for as long as four years.
The nation’s largest nonprofit health insurer began a test program to make medical records of some of its members available electronically to physicians, and to give members access to their own records over the Internet.
But the Kaiser website in 1999 included confidential patient information, such as addresses, phone numbers and lab tests, that was available for public viewing. Oakland-based Kaiser did not remove the site until it was brought to the attention of federal authorities in January 2005, according to the California Department of Managed Health Care.
And Kaiser told patients about the medical records just three months ago, after it was reported in the media, the state said.
“Not only was this a grave security breach, Kaiser did not actively work to protect patients until after they had been caught,” said Cindy Ehnes, director of the state agency. “We’re imposing this fine because we consider this act to be irresponsible and negligent at the expense of members’ privacy and piece of mind.”
The $200,000 fine against Kaiser Foundation Health Plan is the largest the state has imposed against a health insurer for a breach of patient confidentiality violation, the agency said.
“It was an oversight and it will not happen again. We regret it,” said Rick Malaspina, a spokesman for Kaiser in Northern California. “We’ve learned a lot from this.”
Under state law, a health plan can be fined if it violates the confidentiality of medical information, without first obtaining the patient’s authorization, state officials said. Kaiser Permanente, with 8.3 million members, reported first-quarter net income of $552 million on revenue of $7.7 billion.
A former Kaiser Web coordinator, Elisa D. Cooper, 35, first brought the security breach to the public’s attention by posting links to the site on her blog. The Berkeley resident then notified civil rights authorities. Kaiser then sued her, accusing her of invasion of privacy and breaking a confidentiality agreement; that suit is still pending in Alameda County Superior Court. Cooper was let go by Kaiser in 2003.
“I’m glad to see this action,” Cooper said Monday. “People don’t understand this information was there for years.”
In April, state healthcare regulators issued a cease-and-desist order against Cooper for linking to Kaiser’s website and disseminating confidential medical information.
Kaiser is in the midst of creating KP HealthConnect, an electronic medical records center, that it hopes by 2007 will give doctors up-to-the minute access to lab results and diagnostic images, and would give members access to their own records on the Internet. The system is designed to promote better healthcare and to reduce costs.
Although Kaiser promises the system will be designed to resist hackers and be password protected, the recent security breach shows “just how vulnerable these systems can be,” said Beth Givens, director of the Privacy Rights Clearinghouse, a nonprofit consumer group in San Diego.
“Many people are even more concerned about their medical information being public than their financial information,” she said. “There are things in their records they don’t even tell members of their own families.”