California officials investigate whether Kaiser violated patient privacy laws

by Kenny Goldberg, KPBS.org

Kaiser Permanente may be held responsible for compromising the medical records of nearly 300,000 people.

In 2008, Kaiser hired an outside contractor to organize and move some 300,000 patient files.

Over time, Kaiser repeatedly emailed the contractor with requests to pull certain records. The requests contained patients names, dates of birth, and social security numbers. But the Los Angeles Times reports only one out of more than 600 emails was encrypted, a potential violation of patient privacy.

Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse, said Kaiser should have known better.

"Encryption of email messages is not rocket science, it’s something that’s fairly well advanced in the marketplace," Givens explained. "So they really should have required encryption."

In October, Kaiser sued the contractor for not returning all patient files when it asked for them. Kaiser accused the contractor of leaving computer hard drives in a garage with the door open.

Givens said Kaiser is ultimately responsible for any security breaches. She can’t understand why the company was so lax.

"’Cause frankly, Kaiser’s been a leader in the whole transition from paper to electronic records. So it puzzles me," Givens said.

Kaiser said it’s confident patient information wasn’t compromised.

Givens said in light of the high number of medical data breaches nationwide, she recommends everyone request their medical records once a year. Givens explained it’s like checking your credit report.