Kaiser Health Plan Slapped with $200K Data Privacy Fine

June 23, 2005 (PLANSPONSOR.com) - California state authorities have fined Oakland, California-based Kaiser Foundation Health Plan $200,000 for having patient health information accessible on a Web site for up to four years.

The Department of Managed Health Care (DMHC) said in a Web site statement that Kaiser was responsible for the creation of a Web site used as a testing portal by its information technology staff containing confidential patient information. The data included names, addresses, phone numbers and lab results, according to the agency.

Officials charged that the site was set up and available for public viewing in 1999 without the prior consent of those affected, a fact that violated California law and the plan’s own privacy policies.

“Patients must be assured that health plans will, at all costs, do everything possible to protect confidential information,” Cindy Ehnes, director of the DMHC, said in the announcement. “As we work on broadening the use of electronic medical records to improve patient care, on both the state and federal levels, health plans must make security of confidential information a top priority.”

The Golden State agency said officials were concerned that Kaiser allowed the site to languish on the Web in an accessible format and did not remove it until its existence was brought to the attention of federal civil rights authorities in January 2005. In addition, the DMHC charged Kaiser authorities did not inform state regulators until after the site had been reported to the media in March. However, Kaiser has since informed all of the approximately 150 members who may have been affected.

“Not only was this a grave security breach, Kaiser did not actively work to protect patients until after they had been caught,” Ehnes said in the statement. “We’re imposing this fine because we consider this act to be irresponsible and negligent at the expense of members’ privacy and piece of mind.”

Under state law, a health plan can be fined if it violates the confidentiality of medical information, without first obtaining the individual’s authorization. In addition to federal Health Insurance Portability and Accountability Act (HIPAA) laws, state law has its own privacy statutes contained in the Civil Code, the DMHC statement said.

Kaiser officials have until June 25 to present any information to dispute the DMHC’s findings or the fine will be imposed, and they have been cooperating throughout the investigation.

>According to a Thompson.com report, Elisa Cooper, whom Kaiser terminated in 2003, posted a link to the site on her own Web log in July 2004; DMHC ordered her to remove it in March. She claimed to be acting as a whistleblower, but Kaiser is suing her, contending that her posting was the major privacy breach, Thompson said.