Kaiser Permanente, the biggest nonprofit health plan provider in America, recently announced a data breach that exposed highly sensitive health information of close to 70,000 patients.
In a June 3 notice sent to patients, Kaiser disclosed that a hacker was able to gain access to an employee’s emails at the Kaiser Foundation Health Plan of Washington on April 5. This contained protected health information such as patient names, dates of service, medical record numbers and lab test results information. However, according to the healthcare provider, financially sensitive information like social security and credit card numbers, was not exposed by the breach.
The company has kept mum on the scale of the breach, but a separate filing with the U.S. Department of Health and Human Services confirmed that 69,589 individuals were impacted.
“We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident,” Kaiser said in its notice.
Kaiser has also not discussed how an unauthorized third party was able to gain access to the employees’ emails. However, it said that the hacked employee “received additional training in safe email practices,” suggesting the breach may have been performed via credential stuffing or phishing.
The company has also not commented on why it took them almost two months to inform patients about the breach.
Kaiser Permanente is the latest in a long line of healthcare providers whose private data had been breached by hackers.