Kaiser Permanente patient data exposed online

Linda Rosencrance schreibt seit mehr als 20 Jahren über Technologiethemen - unter anderem für unsere US-Schwesterpublikation CIO.com.

A disgruntled former employee at Kaiser Permanente, a health maintenance organization in Oakland, Calif., posted a link to a Web site containing the personal information of 140 Kaiser patients -- an effort, she said, to call attention to a potential breach of privacy laws by the company.

The company is now seeking a restraining order in Alameda County Superior Court against the woman, known as the "Diva of Disgruntled," who posted the information on her Web log, according to Kaiser spokesman Matthew Schiffgens.

Schiffgens said the woman continued to post the information despite a cease-and-desist request from Kaiser, which learned about her allegations in January from the U.S. Office of Civil Rights -- the enforcement arm under the Health Insurance Portability and Accountability Act. The federal agency began looking into the matter after the woman filed a complaint with it.

The company is investigating whether it had a hand in exposing the data.

According to Schiffgens, the data exposed included contact information such as names, addresses and telephone numbers, as well as medical record numbers that are unique identifiers within Kaiser Permanente. For a very small portion of the HMO"s members, some routine lab information was also posted, he said.

Kaiser is now contacting the affected patients while it tries to determine on its own how the patient information became public. The former employee, whose first name is Elisa, said she stumbled on it while doing a search for information about the company; Schiffgens denied that the data would have been publicly available.

"We"re aware of the individual"s allegations as to Kaiser Permanente posting this information to the Web," he said. "Our investigations have not been able to determine that, and we continue to investigate how this information came into her possession. What I can say is that Kaiser had a Web site that made various different schematics available so that remote IT people could do their work and see the schematics of the systems they were working on."

Elisa, who described herself in an e-mail message to Computerworld as a former "Web coordinator" for the HMO, claimed that the Web site she found contained diagrams of Kaiser systems, as well as the confidential patient data. In fact, she said she accessed the site using Google.

"I had been trying to dispute my termination, but Kaiser would not allow (me) access to any of the documentation I needed," said Elisa, who was terminated in June 2003. "I was searching online for any information I could find. My former manager"s name is on the systems diagrams, so they came up in the course of research. There was no hacking involved."

Schiffgens said the diagrams, which at time were not behind a firewall or password-protected, were related to an application that generated letters for the lab reporting system. "The lab system itself was behind our firewall and was password-protected," he said.

The Web site showing the system diagrams is also now behind the firewall and password protected, he said.

Schiffgens also said the schematics had nothing to do with Kaiser"s HealthConnect program -- the system that will organize and integrate clinical information for the company"s approximately 8.3 million members across the U.S.

"Kaiser has been trying to convince Congress that it should take a leading role in the development of a national Electronic Medical Record," Elisa said. "(But Kaiser) is a profoundly sloppy organization that lets part of its intranet leak online to be indexed by Google and allows either employees or consultants in highly sensitive areas to post system specs on a public Web site. The federal government needs to start asking questions about whether Kaiser can back up its promises when they start bidding for EMR projects."

With that in mind, Elisa said she included a link to the Kaiser site on her own Web site.

"I did not post this information: I linked to the original site, which seems to have been posted by a Kaiser employee or insider," Elisa said. "I found the Kaiser System Diagrams online at http://tripod.docviewer.com in July 2004. You can see the remains of the site and the fact it has been online since at least December 2002 at http://web.archive.org/web/*/http://docviewer.tripod.com," she said.

Elisa also said that, in her opinion, publicly distributing diagrams of systems that partly constitute California"s transitional Electronic Medical Records system is an even bigger deal than the patient privacy issue. With that in mind, she contacted the Office of Civil Rights, which then contacted Kaiser officials about the potential breach.

"We are continuing that investigation and continue to have discussions with OCR," Schiffgens said. "On March 9, we asked the ISP to remove the posting (from Elisa"s Web site). After we concluded that real member information was included in the site, we took swift action to contact the ISP and have it removed. But she reposted it twice, and the ISP removed it both those times."

In response, Elisa, who then posted a copy of the site she had made, said she planned to remove the post once the issue had been publicly aired.

"My intent was to take it down after the Office of Civil Rights had done a proper investigation or Kaiser otherwise came under public/government scrutiny," she said. "The site remained up while I was trying to figure out what to do next."

Officials at the Office of Civil Rights could not be reached for comment.