Kaiser Employees Fired for 'Snooping' into Medical Records

Ralph DeFrangesco

Fifteen Kaiser Permanente employees were recently fired and another eight were reprimanded for accessing the medical records of Nadya Suleman, better known as the "Octomom." The employees all worked at the Bellflower, Calif., facility when the octuplets were born. California, along with several other states, has laws protecting the privacy of patient health data.


The U.S. government wants to make all of our health records available in electronic format. In fact, President Obama allocated $19 billion for this project in his stimulus plan. The idea is that by making our records available electronically, it will raise health care quality and lower its costs.


The only groups to benefit from this are the insurance companies and the health care tech companies that sell software-based practice management and patient-record systems to doctors and dental practices. This is a red flag, a challenge, a taunt to hackers to attack our systems and steal this data. But I digress.


I worked for a company that manufactured medical devices, a large regional health care insurance provider, and a very large national health care provider, so I know a little bit on the subject. The type of incident at Kaiser falls under several security categories including data loss prevention, privacy, HIPAA, data security, network security, the list can go on and on.


Call it whatever you want, but at the end of the day, it was an internal breach. More than likely, the people that viewed the data had access to it for legitimate purposes. I know I have said this several times in my blogs, but this type of attack is very difficult to protect against because it came from the inside. Whether it's financial data or personal health care records, the following guidelines, at a minimum, should be used:


  • Whether data is used internally or sent externally, encrypt all data.
  • Use the best practice of least privilege. Who needs access, at what level, and why?
  • Review access rights on a regular basis.
  • Don't use production data in your development/test environment.
  • Use a firewall when critical data is involved.
  • Use intrusion detection and intrusion prevention.
  • Adopt a data loss prevention program.
  • Protect backups (onsite and offsite).
  • Monitor, audit and report.


I believe Kaiser took the right action. We need to make people in trusted positions accountable for their actions. Technology alone can't protect you against an internal breach.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post
Apr 16, 2009 7:17 PM Beoweolf Beoweolf  says:

On a mostly vendictive, "They Got what they had coming" point of view - I might agree that its about time that managment to security, personal infromation breeches seriously. Way too often, some record, mug shot, criminal case is posted on the 5 o'clock news so fast, that the "facts" of the case are compromised. The generic Public has an insatible appitaite for criminal, legal, moral, financial revelations about the cause or celebrity Du jour.

Unfortunately - its only the cogs, never the Wheel - that are made examples of. So, should we punish the addict, the supplier or the drug?

It is a crime is to ask for so much un-necessary information from the public, but the real crime is to leave it unprotected - despite rules already in place to prevent it. Businesses should not be given a "free-pass" when they disregard (or only perform minimal protection for patient records). Security IS important - as is personal integrity. Including the Doctor that uses his access to personal data as cocktail conversation anecdotes.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.