Kaiser Permanente has been fined $450,000 by the California Department of Managed Care (CDMC) for impermissibly disclosing the confidential and protected health information (PHI) of up to 167,095 health plan members. Between October 2019 and December 2019, Kaiser Permanente sent 337,755 mailings to enrollees of its health plan; however, an error updating its electronic medical record system resulted in some mailings being sent to outdated addresses.
Kaiser Permanente was contacted by 8 individuals who said they had opened the packets but realized that they were not the intended recipients and 1,788 of the packets were returned unopened as the recipients realized they had been sent to the wrong addresses. The mailings were sent to 167,095 enrollees and Kaiser Permanente could not be sure that those mailings had been received by the intended recipients, which meant thousands of enrollees’ PHI may have been impermissibly disclosed.
CDMC investigated the reported breach and determined there had been an unauthorized disclosure of medical information and negligent maintenance or disposal of medical information, both of which violated the California Confidentiality of Medical Information Act (CMIA). On November 11, 2019, Kaiser Permanente became aware that an error in its electronic medical record system that had resulted in a data breach but failed to stop the mailings until December 20, 2019, 39 days after the error was discovered. As a result of that failure to act, a further 175,000 mailings were potentially sent to incorrect addresses.
In addition to the financial penalty, Kaiser Permanente has agreed to take corrective actions to prevent further data breaches of this nature, including updating its software systems, conducting periodic checks to confirm addresses are in synch, and system checks to ensure it is using the most current physical and/or mailing addresses. Kaiser Permanente will also work with its call center employees to confirm address information, will notify all affected individuals, and will provide refresher training to its staff on the legal standards of the Health Insurance Portability and Accountability Act (HIPAA) concerning the protection of PHI.
“Health plans must protect the confidentiality of enrollee records and maintain and dispose of medical information correctly,” said DMHC Director Mary Watanabe. “Kaiser Permanente agreed to take corrective actions to protect consumers’ confidential information and ensure this doesn’t happen again.”
The post Kaiser Permanente Fined $450,000 for CMIA Violations Due to Mailing Error appeared first on HIPAA Journal.