Federal and state officials are investigating whether healthcare giant Kaiser Permanente violated patient privacy in its work with an Indio couple who stored nearly 300,000 confidential hospital records for the company.
The California Department of Public Health has already determined that Kaiser "failed to safeguard all patients' medical records" at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple's document storage firm kept those patient records at a warehouse in Indio that they shared with another man's party rental business and his Ford Mustang until 2010.
Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients' names, Social Security numbers, dates of birth and treatment information stored on their home computers.
The state agency said it was awaiting more information from Kaiser on its "plan of correction" before considering any penalties.
Officials at the U.S. Department of Health and Human Services began looking into Kaiser's conduct last year after receiving a complaint from the Deans about the healthcare provider's handling of patient data, letters from the agency show. Kaiser said it hadn't been contacted by federal regulators, and a Health and Human Services spokesman declined to comment.
Kaiser said it remained confident that this patient information was never disclosed or accessed inappropriately. It said that some employees were disciplined because company policies were not followed and that it had informed regulators of the steps it had taken to ensure this type of incident didn't happen again.
"Kaiser Permanente is committed to protecting the medical and personal privacy of its patients," spokesman John Nelson said. "In retrospect, we certainly wish we'd never done business with Mr. Dean."
Even with tougher government oversight of medical privacy in recent years, this case underscores how confidential patient information remains vulnerable in the hands of big healthcare institutions and legions of outside contractors.
"Kaiser has shown extraordinary recklessness in this situation," said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. "Healthcare companies have to make sure their contractors adhere to ironclad security practices."
Federal and state laws impose strict standards on anyone dealing with patient information. The privacy rule of the federal Health Insurance Portability and Accountability Act, known as HIPAA, bans the unauthorized disclosure of individuals' medical records and requires healthcare providers and vendors, such as billing and storage companies, to protect the information.
Despite those rules, personal medical information of 21 million people nationwide has been improperly exposed since 2009, according to federal data. Last year, Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million to resolve allegations it violated federal law after 57 computer hard drives with patient information were stolen from an outside facility.
In October, Kaiser sued the Deans in Riverside County Superior Court, accusing them of violating their contract by not returning all of its patient information two years ago when Kaiser picked up the paper records.
In court filings, Kaiser said the Deans put patient data at risk by leaving two computer hard drives in their garage with the door open. In response, Stephan Dean moved them to a spare room. On a recent day they sat next to a red recliner where Ziggy, the family's black-and-white cat, curled up for a nap. Dean said those hard drives contained spreadsheets on thousands of Kaiser patients, prepared at the company's request.
At one point, Dean told Kaiser he was planning to contact patients about the whereabouts of their medical information because he felt Kaiser hadn't taken proper precautions. The company sought a temporary restraining order against Dean, barring him from disclosing any confidential information. A Superior Court judge granted Kaiser's request until Thursday, when another hearing is scheduled.
Dean, 47, got his foot in the door at Kaiser from his previous work labeling paper folders for courthouses, hospitals and doctors.
But the demand for folders was slipping as hospitals and doctors used computers more. Kaiser was at the forefront of this as it invested billions of dollars in its HealthConnect system, which it bills as the largest private-sector electronic health record in the world. Kaiser, with more than 9 million customers, is the nation's largest nonprofit insurer and hospital system.
Dean said his small business, Sure File Filing Systems, got a big break when Kaiser acquired the Moreno Valley Community Hospital in 2008. The company needed to organize and clear out thousands of old patient files and it gave the job to the Deans, Kaiser records show.
In August 2008, the Deans started packing up thousands of files from Moreno Valley and moving them to the warehouse in Indio.
Hospital clerks routinely messaged Dean asking him to pull records on specific patients, emails sent by Kaiser to Sure File show. Dean said some Kaiser employees would put the patient's full name in the subject line of the email, and other messages listed the patient's Social Security number, date of birth, doctors' names and treatment dates. One message started, "Good Morning Sure File," and requested adoption records for a child.
Dean said Kaiser showed little concern for patient privacy in handling those requests. Only one out of more than 600 emails from Kaiser was password-protected with encryption, he said. Many medical providers use such technology so information isn't visible to others.
"Every one of these records is somebody's life," Dean said recently, scrolling quickly through what he said was Kaiser information on his computer screen. "We could have sold these emails to somebody in Nigeria, but Kaiser doesn't care about its patients' information."
Kaiser said that government rules don't require encryption and that "our vendors are contractually required to maintain secure environments for all records, and this includes Sure File."
The healthcare company awarded another job to Sure File in January 2010: to "deactivate" and store about 345,000 records from its West Los Angeles Medical Center for $206,000, according to Kaiser documents.
But within a few weeks, Dean said, he stopped working because he didn't have a contract yet for the West Los Angeles work. The two sides reached an accord in March 2010, and in a letter that month a Kaiser purchasing manager apologized to Dean for the confusion.
"We should have signed a contract prior to the commencement of this project," the manager wrote.
Three months later, in June 2010, Dean said, he stopped working for Kaiser again. This time, he said, he could no longer afford the insurance on the warehouse and $1,500 a month for gas for his file deliveries to Kaiser.
By July 2010, Kaiser had terminated the Deans' contract and picked up the medical records from the Indio warehouse, court files show.
The two sides signed an agreement in March 2011 to resolve their differences and Kaiser paid $110,000 to Dean, according to court documents. In its lawsuit, Kaiser said Dean was required to return or destroy "all the protected information of Kaiser members" as part of their agreements.
Dean says those agreements covered only the return of paper records. On New Year's Eve, Dean said, he deleted the Kaiser emails and other patient information on the two hard drives.
Kaiser said "this is a positive step, although based on [Dean's] behavior we will be seeking independent verification of his promised performance." In court filings, the company said it had sought access to his computers and email account for inspection by a forensic consultant.
Dean said he offered to grant that access — if the company paid him $100,000. Kaiser said it already had fully compensated the Deans, paying them about $500,000 in all.
"Kaiser created this mess and I want to make sure patients are notified properly if someone hacked into their information," Dean said. "We've had all sorts of viruses on our computer."