California and U.S. authorities are investigating whether Kaiser Permanente violated some 300,000 patients’ privacy when dealing with a Mom and Pop document storage company that kept medical records in a shared warehouse and stored sensitive data on home computers.
The investigation, according to the Los Angeles Times, was triggered by a complaint filed last year by Stephen and Liza Dean of Indio, Calif., who claim Kaiser failed to safeguard patients’ medical records. The Deans contend Kaiser gave the paper files to them for almost seven months without a contract and that employees routinely e-mailed them for patient records, providing full names, dates of birth and Social Security numbers and treatment dates to ensure the proper folders were pulled. Those emails remained on their home computers until about a week ago.
Stephen Dean told a reporter only one in 600 of those emails was password-protected. He said that at one point he considered notifying Kaiser patients their sensitive data was exposed. Kaiser blocked the move by getting a temporary injunction that expires on Thursday, when another hearing is scheduled.
The nonprofit health care provider, the largest of its kind in the United states with 9 million patients, told the Times it had yet to be contacted by investigators.
The Deans, who operate Sure File Filing Systems, were hired by Kaiser in 2008 to organize and clear out patient files following the company’s acquisition of the Moreno Valley Community Hospital. Those files were stored at an Indio warehouse shared with a party rental company until 2010, when Kaiser retrieved them.
“Kaiser has shown extraordinary recklessness in this situation,” Beth Givens, director of the Privacy Rights Clearinghouse, told the Times. “Healthcare companies have to make sure their contractors adhere to ironclad security practices.”
In October, Kaiser sued the Deans for not returning all of the patient files when employees came to collect them from storage. The company also complained the Deans had left two computer hard drives holding patient data in an unsecured garage; those drives, containing spreadsheets, later were transfered to a room inside the Dean’s home.