Cyber Incident Victim: Kaiser Permanente

On April 5, 2022, Kaiser Permanente experienced a data breach when an unauthorized attacker accessed an employee’s email account containing protected health information (PHI). The healthcare provider, serving over 12.5 million members across eight U.S. states and Washington, D.C., discovered the incident promptly and terminated the attacker’s access within hours. The breach specifically impacted 69,589 patients of the Kaiser Foundation Health Plan of Washington, as confirmed in a filing with the U.S. Department of Health and Human Services Office for Civil Rights. Exposed information included patients’ first and last names, medical record numbers, dates of service, and laboratory test result information. Kaiser Permanente explicitly stated no Social Security numbers or credit card details were compromised in the incident. The organization initiated an investigation to assess the breach’s scope and potential misuse of data, though no evidence confirmed theft or exploitation of the exposed PHI.

Kaiser Permanente notified affected individuals through letters mailed on June 3, 2022, and published a public notice on its website detailing the incident. Immediate containment measures included resetting the compromised email account’s password and providing additional training to the employee on secure email practices. The organization also stated it was exploring further steps to prevent similar incidents in the future. While the breach was confined to a single employee’s email account and swiftly contained, Kaiser Permanente acknowledged the possibility that PHI could have been accessed or misused despite lacking conclusive evidence. The incident underscored operational risks associated with email-based PHI handling within a major healthcare network, though it did not disrupt broader patient care services or affect systems outside the Washington subsidiary.