Breaching the security of an Internet Patient Portal
Kaiser Permanente is a health delivery system that serves over eight million members in nine states and the District of Columbia. In the late 1990’s, Kaiser Permanente introduced an Internet patient portal, Kaiser Permanente Online (also known as KP online). Members can use KP Online to request appointments, request prescription refills, obtain health care service information, seek clinical advice. And participate in patient forums.
Information System challenge.
In August 2000, there was a serious breach in the security of the KP online pharmacy refill application. Programmers wrote a flawed script that actually concatenated over eight hundred individual e0mail messages containing individually identifiable patient information, instead of separating them as intended. As a result, nineteen members received e-mail messages with private information about multiple other members. Kaiser became aware of the problem when two members notifies the organization that they had received the concatenated e-mail messages. Kaiser leadership considered this incident a significant breach of confidentiality and security. The organization immediately took steps to investigate and to offer apologies to those affected.
On the same day the first member notified Kaiser about receiving the problem e-mail, a crisis team was formed. The crisis team began a root cause analysis and a mitigation assessment process. Three days later Kaiser began notifying its members and issued a press release.