Lucky Break Exposes Kaiser Breach

A stroke of luck led to discovery of the theft of 30,000 Kaiser
Permanente employees’ personal data.

Police in the city of San Ramon, Calif. found personal information of thousands of people on the hard disk of a computer taken from the apartment of a suspect arrested for possession of stolen property and involvement in various fraud cases.

On realizing that about 30,000 of the people listed in files on the computer were employees of the northern California offices of health care services provider Kaiser Permanente, the police notified Kaiser, Lt. Dan Pratt, public information officer at the San Ramon Police Department, told

“We don’t know how she got that information, and we’re working with
Kaiser and other investigation agencies on her case,” Pratt said.

Kaiser spokesperson Gerri Ginsburg told that San
Ramon police notified the organization of the breach in late January. “We
began notifying employees last Thursday evening,” she added. She said 29,500
employees were affected, but no patients had their information stolen.

In a statement on Kaiser’s Web site, Gay Westfall, the organization’s senior vice president of human resources, said only a handful of employees have reported employee theft so far. Information stolen includes employees’ names, addresses, phone numbers, social security numbers and dates of birth.

Ginsburg said the suspect was not an employee of Kaiser and she does not
know how the suspect managed to get the information.

Kaiser has launched an internal investigation concurrently with that of
San Ramon police, Ginsburg said. “We’ll take any necessary steps to make
sure this doesn’t happen again, so we’ll be reviewing our systems and
equipment,” she added.

Westfall’s statement said Kaiser restricts access to sensitive
information through electronic access controls, and requires data to be
encrypted on electronic devices, such as laptops and mobile devices, that it

According to Pratt of the San Ramon P.D., the United States Postal
Inspection Service (USPIS) is also investigating the suspect, in connection
with another fraud case. Calls to the USPIS were routed to a voice mail box
which was not accepting any messages.

The USPIS is a federal agency, and any charges it brings will be tried in
a federal court, which hands down more severe penalties than local courts.
Postal inspectors enforce more than 200 federal laws that may affect or
involve the U.S. Postal service, the Postal system or Postal employees,
including burglary, mail fraud and identity fraud.

Pratt said other agencies are also investigating the suspect for identity
theft but declined to be more specific. “The other agencies were taking
reports from an individual who complained of ID theft, and they did not know
who the suspect was, but our investigation pinpointed an actual suspect,”
Pratt said.

The suspect has not yet been charged with the original crimes under
investigation by the San Ramon P.D. — possession of stolen property and
forgery — because the district attorney is still working on the charges,
Pratt said. “It may take a bit of time before they can nail down a good,
solid case regarding the information stolen from Kaiser,” he added.

According to Pratt, the suspect lives in San Ramon and there is nothing to stop her from taking off before she is charged.

This is the third data breach since December from an organization that
says it has strong security measures in place. The first was payment processor RBS WorldPay, which
had the personal financial account information of about 1.5 million people, and social security numbers of 1.1 million people, stolen by a hacker in December.

Then, in late January, Heartland Payment Systems, one of the five largest
payment processors in the United States, was hit, in a breach many believe
will impact even more people than the TJX breach.

Heartland processes more than four billion transactions a year. The TJX data breach, which was the largest known, impacted up to 47.5 million people, TJX Companies said in a filing
with the Securities and Exchange Commission in March.

News Around the Web