Lucky Break Exposes Kaiser Breach
Page 1 of 1
A stroke of luck led to discovery of the theft of 30,000 Kaiser Permanente employees' personal data.
Police in the city of San Ramon, Calif. found personal information of thousands of people on the hard disk of a computer taken from the apartment of a suspect arrested for possession of stolen property and involvement in various fraud cases.
On realizing that about 30,000 of the people listed in files on the computer were employees of the northern California offices of health care services provider Kaiser Permanente, the police notified Kaiser, Lt. Dan Pratt, public information officer at the San Ramon Police Department, told InternetNews.com.
"We don't know how she got that information, and we're working with Kaiser and other investigation agencies on her case," Pratt said.
Kaiser spokesperson Gerri Ginsburg told InternetNews.com that San Ramon police notified the organization of the breach in late January. "We began notifying employees last Thursday evening," she added. She said 29,500 employees were affected, but no patients had their information stolen.
In a statement on Kaiser's Web site, Gay Westfall, the organization's senior vice president of human resources, said only a handful of employees have reported employee theft so far. Information stolen includes employees' names, addresses, phone numbers, social security numbers and dates of birth.
Ginsburg said the suspect was not an employee of Kaiser and she does not know how the suspect managed to get the information.
Kaiser has launched an internal investigation concurrently with that of San Ramon police, Ginsburg said. "We'll take any necessary steps to make sure this doesn't happen again, so we'll be reviewing our systems and equipment," she added.
Westfall's statement said Kaiser restricts access to sensitive information through electronic access controls, and requires data to be encrypted on electronic devices, such as laptops and mobile devices, that it owns.
According to Pratt of the San Ramon P.D., the United States Postal Inspection Service (USPIS) is also investigating the suspect, in connection with another fraud case. Calls to the USPIS were routed to a voice mail box which was not accepting any messages.
The USPIS is a federal agency, and any charges it brings will be tried in a federal court, which hands down more severe penalties than local courts. Postal inspectors enforce more than 200 federal laws that may affect or involve the U.S. Postal service, the Postal system or Postal employees, including burglary, mail fraud and identity fraud.
Pratt said other agencies are also investigating the suspect for identity theft but declined to be more specific. "The other agencies were taking reports from an individual who complained of ID theft, and they did not know who the suspect was, but our investigation pinpointed an actual suspect," Pratt said.
The suspect has not yet been charged with the original crimes under investigation by the San Ramon P.D. -- possession of stolen property and forgery -- because the district attorney is still working on the charges, Pratt said. "It may take a bit of time before they can nail down a good, solid case regarding the information stolen from Kaiser," he added.
According to Pratt, the suspect lives in San Ramon and there is nothing to stop her from taking off before she is charged.
This is the third data breach since December from an organization that says it has strong security measures in place. The first was payment processor RBS WorldPay, which had the personal financial account information of about 1.5 million people, and social security numbers of 1.1 million people, stolen by a hacker in December.
Then, in late January, Heartland Payment Systems, one of the five largest payment processors in the United States, was hit, in a breach many believe will impact even more people than the TJX breach.
Heartland processes more than four billion transactions a year. The TJX data breach, which was the largest known, impacted up to 47.5 million people, TJX Companies said in a filing with the Securities and Exchange Commission in March.