Privacy Ninja

Kaiser Permanente Data Breach Exposes Health Data of 69K People

Kaiser Permanente Data Breach Exposes Health Data of 69K People

Kaiser Permanente, one of America’s leading not-for-profit health plans and health care providers, has recently disclosed a data breach that exposed the health information of more than 69,000 individuals.

Founded in 1945, Kaiser Permanente provides health care services to over 12.5 million members from 8 U.S. states and Washington, D.C. 

The company revealed in a notice published on its website that an attacker accessed an employee’s email account containing patients’ protected health information (PHI) on April 5, 2022, without authorization.

Also Read: November 2021 PDPC Incidents and Undertaking: Lessons from the Cases

“This notice describes a security incident that may have impacted the protected health information of some Kaiser Permanente patients who may have been affected by an unauthorized access incident on April 5, 2022,” the health care provider said.

“The specifics of the unauthorized access were provided to individuals affected in a letter sent by Kaiser Permanente on June 3, 2022.”

Sensitive info exposed in the attack includes:

  • The patients’ first and last names
  • Medical record numbers
  • Dates of service
  • Laboratory test result information

The organization says no Social Security numbers and credit card numbers were exposed during this breach. 

The security incident only affected the Kaiser Foundation Health Plan of Washington patients.

Access to breached email severed within hours

Kaiser Permanents terminated the attacker’s access to the email account within hours and began investigating the incident to assess its impact.

Also Read: The importance of penetration testing for businesses

“After discovering the event, we quickly took steps to terminate the unauthorized party’s access to the employee’s emails,” Kaiser Permanent added [PDF].

“This included resetting the employee’s password for the email account where unauthorized activity was detected.

“The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future.”

The health care provider did not find evidence that the PHI stored in the hacked email account was stolen or misused after the incident but couldn’t completely rule out this possibility.

While Kaiser Permanente did not reveal the exact number of affected patients in the breach notice, information filed with the U.S. Department of Health and Human Services Office for Civil Rights shows that this incident has led to 69,589 individuals having their PHI exposed.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us