Friday, March 11, 2005

Incident: "Disgruntled" employee said to have posted confidential personal health information of insureds online

The San Jose Mercury News is reporting on an interested development. HMO Kaiser Permanente is informing 140 of their insureds that a former employee posted confidential medial information on her blog. She says that it is Kaiser Permanente's fault, but that's beside the point to the 140 people involved. See the Mercury News (registration req'd): | 03/11/2005 | Patients' private data put online:

"In a troubling episode involving medical privacy in the digital age, Kaiser Permanente is notifying 140 patients that a disgruntled former employee posted confidential information about them on her Weblog.

The woman, who calls herself the ``Diva of Disgruntled,'' claims it was Kaiser Permanente that included private patient information on systems diagrams posted on the Web, and that she pointed it out.

The health care giant learned of the breach from the federal Office of Civil Rights in January, said Kaiser spokesman Matthew Schiffgens. Kaiser has been investigating ever since, Schiffgens said, but it wasn't until Wednesday that it asked the Internet service provider hosting the blog to remove the information...."

Jeff Drummond at HIPAA Blog has some interesting things to say about the incident:


"...The article indicates that the blogger could be subject to HIPAA penalties for the disclosure. One of my fellow HIPAAcrats on the AHLA HIT list noted that the article is wrong in this regard, since Kaiser will be the one subject to the penalties. Rightly or wrongly, in light of the Gibson case, I disagree. The blogger would certainly be subject to a HIPAA enforcement action if the Department of Justice were so inclined to take that route. Kaiser would also be subject to an enforcement action for the original posting on the techincal Web site, but their defense would be one of inadvertence. It would be hard for the blogger to make that cliam for her intentional posting."

Update: The former employee at issue has her blog still up and running. Not only that, but she's posted a comment on the publicity surrounding this incident:

corphq: Kaiser Trying to Rile Up Patients?:

"Kaiser Trying to Rile Up Patients?

Just read the Mercury News story:

It looks like Kaiser is now informing patients of the 'unlawful disclosure'. The only reason why I can think they would do this now is that Kaiser hopes to whip up people against me. If Kaiser really thought people should know about the patient information, they would have informed people months ago when they quietly took the Systems Diagrams *they* posted offline.

Kaiser had the patient information posted online since *2002* at Here is my blog post from July 2004 where I first pointed it out:

Kaiser did not respond to my complaints or inform the patients at that time, and they did not take the Systems Diagrams down until September. Still not a word to the patients.

I also find it interesting that I couldn't get the press to cover it when I contacted everybody and their grandmothers to show what Kaiser had done. Now that Kaiser wants to hound me, however, the press is interested...."

Thanks to Health Care Blog Law for the above link: Health Care Blog Law : Private Patient Data Posted Online Blog by Disgruntled Former Kaiser Employee

No comments: