Kaiser Permanente said Thursday that a data breach had left personal information on 990 Sacramento-area patients exposed to an unknown and unauthorized individual for about 13 hours.
“The exposure was identified by an IT security process and corrected immediately upon discovery,” stated Angela B Anderson, Kaiser’s regional compliance director and privacy and security officer for Northern California, in an email sent to The Sacramento Bee. “We do not have any evidence that the information was viewed, used or copied. Kaiser Permanente takes the protection of our member data very seriously.”
In a letter to Kaiser members, issued Sept. 27, Anderson explained that the unauthorized individual had access to a Sacramento-area provider’s email account, and data in that email account included a combination or some of the following: date or dates of service, age, date of birth, gender, provider name, provider comments, payer name, diagnosis, medical history, benefit information, insurance coverage status, treatment procedure and service provided.
The patients’ Social Security numbers and financial information were not in the emails, Anderson said, and Kaiser sent out letters to the patients who were affected.
At the ID Theft Resource Center, experts advised victims to proactively contact Kaiser to see what steps they can take to protect their medical accounts from further access.
“The greatest risk when medical information is compromised is medical identity theft,” said Mona Terry, vice president of operations at the resource center. “Someone can use the information compromised in this data breach and attempt to obtain medical services or prescriptions which will then be billed to the victim/victim’s insurance provider.”
Together with a digital consulting firm called Futurion, the ID Theft Resource Center created a free software tool at breachclarity.com that allows consumers to see the security risk posed by a data breach and learn how to protect themselves. On a scale of 1 to 10, the Kaiser breach rated a 4, according to breachlarity.com.
The year 2019 has seen some sizable data breaches at health care companies. In early May, for instance, billing services vendor American Medical Collection Agency revealed in a filing with the Securities and Exchange Commission that it had been hacked for eight months between Aug. 1, 2018 and March 30, 2019. That breach affected 12 million people at Quest Diagnostics, and other companies are still assessing the impact to their customers.
Roughly 9.7 million Americans had health care records exposed, disclosed or stolen in the first half of 2019, putting this year easily on pace to surpass the 12.1 million individuals affected in 2018.
Unlike credit cards and other financial information, an individual’s personal health history — ailments, illnesses, surgeries — doesn’t change, and it can be used to persuade unwitting customers that scammers are actually legitimate. In one such scam, fraudsters call up and pretend to be representatives of Medicare or a medical supply company. Then, along with your personal information, they use threats or incentives to get more financial information or to get your Medicare number. For instance, they may say they need the info to send free services, equipment or a new Medicare card. Alternately, they may threaten that you’ll be hit with fees if you don’t provide the information.
How to protect yourself
Consumer Reports suggests that consumers take these steps to protect themselves from identity theft and fraud.
- If you don’t know the caller, hang up. Don’t engage with any robocallers because it can end up in more calls.
- Know that caller ID is not always reliable. Scammers can make it look like their calls are coming from trusted institutions.
- Don’t pay people who call you over the phone. More than likely, the person trying to get your money is an unlawful robocall.
- Never pay by wire transfer, gift card or prepaid card over the phone. Legitimate companies and government agencies will not ask to be paid with Amazon, Google Play or iTunes gift cards.
- You’ll be told a dramatic story. Resist the urge to act immediately. Stop and consult with a trusted friend or relative, even if the caller requests that you tell no one.
- Report scam calls to the Federal Trade Commission at donotcall.gov or by calling 877-382-4357. Regulators can use the information in their enforcement efforts.
- Register for the Do Not Call Registry at donotcall.gov. This may not reduce calls from criminals who ignore the registry, but it will reduce calls from the lawful companies.