Earlier this month, the California attorney general filed a lawsuit against Oakland-based Kaiser Foundation Health Plan over the timing of its response to a data breach.
In September 2011 Kaiser officials learned an external hard drive containing the personal information of the organization’s former and current employees had been purchased at a thrift shop. Kaiser was able to locate and secure custody of the hard drive by December 2011, at which point the organization learned the drive contained the unencrypted personal information of more than 20,000 employees and employees’ family members. Notification letters were sent out to those affected in March 2012.
The suit alleged Kaiser engaged in unfair business practices by not informing affected individuals more quickly. Even though Kaiser’s investigation into the exact contents of the hard drive was not complete until February 2012, the suit argued Kaiser could have begun mailing notification letters on a rolling basis.
Kaiser officials report a settlement has been reached with the attorney general's office. "While we have notified employees in the past if their unencrypted personal information was involved in an incident, we have agreed to be even more timely in our notifications and to notify employees as information becomes available, rather than at the conclusion of an investigation. We will also be adding training to our existing compliance courses for Kaiser Permanente employees regarding the sensitive nature of employee-related information, as well as continuing to review and improve our policies to safeguard confidential information," according to a company statement.
More Articles on Data Breaches:
Ruling: HIPAA-Covered Entities Subject to FTC Data Security Enforcement Action
BCBS of New Jersey Faces State Inquiry Over Data Breach
3 UC Davis Physicians' Email Accounts Hacked, Causing Potential Breach