Kaiser Permanente discloses data breach

Kaiser Permanente, a health care provider has disclosed a data breach that compromised the information of some 70,000 patients at subsidiary Kaiser Foundation Health Plan of Washington.

Protected health information was contained in the emails. Although Kaiser Permanente says it has no indication that the unauthorized party accessed the information, it’s unable to rule out the possibility.

The company said it discovered that an unauthorized party had gained access to an employee’s emails on April 5, 2022. It’s claimed that the unauthorized access was terminated within hours after it began and described as a security incident

Information potentially breached included first and last name, medical record number, dates of service, and laboratory test result information. Social Security numbers and credit card numbers were not exposed.

Kaiser Permanente does not say how the email account was compromised, but the evidence points to either credential-stuffing or phishing. That evidence includes the company saying, “the employee received additional training in safe email practices,” which wouldn’t be required unless it was one of those two things.

In response to the incident, Kaiser said it promptly reset the employee’s password for the email account where unauthorized activity was detected.

The breach occurred almost three months ago, yet Kaiser Permanente has only recently notified potentially impacted people that their data may have been compromised. During this time, the affected individuals could have been targeted by attackers using any specific information stolen in convincing social engineering campaigns.

 It’s critical that as a part of their larger cybersecurity culture organizations, include assessing their ability to quickly understand the scope of a potential breach in risk analysis or tabletop exercises.