Our Point of View

February 27, 2009 (originally published February 6, 2009)

Update: Kaiser Permanente Comments on Northern California Employee Information Breach

Feb. 27 statement from Gay Westfall, Senior Vice President, Human Resources, Kaiser Foundation Health Plan/Hospitals, Northern California

It has now been confirmed that Kaiser Permanente was not the source of the breach of personal employee data of approximately 29,500 Northern California Kaiser Permanente employees.

During the week of February 3 we notified these employees about a breach of their personal employee data. No personal health or member related information was involved.

Based on forensic evidence and documentation uncovered by law enforcement, it appears that the information was taken in July 2007 from the offices of United Healthcare Workers (UHW), a labor union representing Kaiser Permanente employees. Kaiser Permanente provided the information to the union in connection with remittance of dues payments, a legitimate activity that Kaiser Permanente employees voluntarily authorized.

We are continuing to work closely with local and federal law enforcement as they investigate potential suspects outside of Kaiser Permanente regarding this data breach.

Protecting the privacy and security of our employees' information is a top priority at Kaiser Permanente. We want our employees to know that we will continue to offer our assistance to help minimize the inconvenience and stress this situation may cause, even though we are confident that we were not the source of this data breach. Because of our concern for our employees, we will continue to provide one year of free credit monitoring to affected employees.

Feb. 6 statement from Gay Westfall, Senior Vice President, Human Resources, Kaiser Foundation Health Plan/Hospitals, Northern California

Kaiser Permanente is committed to protecting the confidentiality of our employees’ personal information. We recently were notified that law enforcement had seized a computer file containing Kaiser Permanente Northern California employee information found in possession of a suspect who was arrested. The suspect is not a Kaiser Permanente employee. The computer file was confiscated and a copy was shared with Kaiser Permanente.

We immediately launched an internal investigation. We are working to determine the source of this breach, and we are working closely with law enforcement in their investigation. To our knowledge, only a handful of employees have reported identity theft.

The file appears to contain information typically considered to be employee personal data, including employee name, address, phone number, Social Security number, and date of birth. No Kaiser Permanente member information or personal health information was involved.

We regret that this unfortunate incident occurred, and we understand the anxiety and worry that some employees may feel. We are notifying each employee whose information was included via phone and letter to provide additional information. We have also set up a toll-free number to help employees with questions: 1-877-281-3573. Because sensitive employee information was included in the file, we will also provide one year of free credit monitoring to employees whose information was included.

Protecting our employees’ personal information is an ongoing priority at Kaiser Permanente. We restrict access to sensitive information through technical safeguards such as electronic access controls, and we require data to be encrypted on Kaiser Permanente electronic devices such as laptops and mobile devices. We also continually upgrade our systems and software and implement the most up-to-date security safeguards, and we regularly educate our staff about their privacy and security responsibilities through our established policies and procedures.

We will continue to assess our internal systems and processes and take the necessary steps to further strengthen our security measures and protect our employees’ information.