Hackers Gained Access to Tens of Thousands of Patients’ Test Results in California’s Biggest Hospital System

Hackers Gained Access to Tens of Thousands of Patients’ Test Results in California’s Biggest Hospital System
Photo: Ringo Chiu, AP

California’s biggest hospital system has divulged a massive data breach that exposed sensitive medical information on some 69,000 patients.

The breach of Kaiser Permanente’s systems was initially disclosed to patients in a June 3 letter, TechCrunch reports. That letter states that the breach was initially discovered on April 5, when officials found that an “unauthorised party” had gained access to a Kaiser employee’s emails. Those emails contained “protected health information” on tens of thousands of Kaiser customers, according to the letter. The total number of people affected by the breach is 69,589, according to a separate filing with the Department of Health and Human Services.

The exposed data included first and last names, medical record numbers, dates of service, and laboratory test result information, the disclosure letter states. It did not involve social security or credit card numbers, according to the letter.

“We terminated the unauthorised access within hours after it began and promptly commenced an investigation to determine the scope of the incident,” says Kaiser’s email to customers, which was shared by TechCrunch. “We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorised party, we are unable to completely rule out the possibility.”

It’s not entirely clear how the “unauthorised party” gained access to the emails, though the HHS filing categorizes the episode as a “Hacking/IT Incident.” We reached out to Kaiser Permanente for further information on this incident and will update our story if they respond.

The healthcare industry has seen a swell of unwanted attention from cybercriminals over the past several years. Just last week, a Massachusetts healthcare organisation disclosed that a data breach had exposed data on what treatments as many as two million people had received as well as their names, birthdays, and Social Security numbers. Hospitals and healthcare providers were big targets during the pandemic, and it isn’t difficult to see why. Medical facilities are appetizing targets for online criminals because they house giant repositories of personal information — all of which can be ransomed or stolen and sold on the dark web. Hospitals’ ageing digital infrastructure generally also doesn’t provide the best cybersecurity protections in the world.