Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

HMO Breaches Members' Privacy

8 views
Skip to first unread message

j...@freedom.net

unread,
Aug 23, 2000, 3:00:00 AM8/23/00
to

HMO Breaches Members' Privacy

FYI: Two articles on health insurer's privacy problem (from Washington Post
and SF Chronicle). Good example of a data valdez!

'Sensitive' Kaiser E-Mails Go Astray
By Bill Brubaker
Washington Post Staff Writer
Thursday , August 10, 2000 ; E01

Kaiser Permanente, one of the nation's largest health insurers, said
yesterday that it accidentally compromised the confidentiality of members
who used its Web site by sending 858 e-mail messages--some of which
contained "sensitive" personal medical advice--to the wrong Kaiser members
last week.

In all, 19 Kaiser customers around the country received e-mails intended for
others. Some of the e-mails contained hundreds of messages.

Kaiser officials attributed the misdirected correspondence from online
nurses and pharmacists to "human error" and a "technological glitch" that
occurred Aug. 2 when a Silver Spring-based technician was upgrading the
company's World Wide Web site.

Kaiser spokeswoman Beverly Hayon said one example of what she called
"sensitive" information was a response to a Kaiser member's question about a
sexually transmitted disease. The majority of the e-mails, however,
concerned more routine matters.

Members can use the site to fill prescriptions, make appointments and seek
medical advice by e-mail.

Some of the missent messages contained the full names, home phone numbers
and medical account numbers of the Kaiser members, Hayon said. She said 219
e-mails were bound for Kaiser customers in the Washington-Baltimore area.

"This is not a security breach of our Internet service," Hayon said. "This
is a technical glitch when we were upgrading software . . . This is
accidentally sending e-mails to the wrong people. All of us have sent
e-mails to the wrong persons. . . . We are conducting an investigation to
ensure this won't happen again."

Kaiser officials said they have reported the problem to insurance regulators
in the states they serve. But Elana Mezile, a spokeswoman for the Maryland
Insurance Administration, said a Kaiser official told the agency that the
e-mails only involved "people setting up appointments." She added: "We will
monitor the situation and stay in touch with Kaiser to make sure this and
any other e-mail problem has been taken care of."

A notice on Kaiser's Web site reads: "Your information is confidential. We
are dedicated to keeping your personal health information confidential. We
take many precautions to make sure others can't pretend to be you and get
your confidential information from this Web site. . . . As long as you don't
give out your PIN, any confidential information you send or receive on this
Web site can be seen only by you and Kaiser Permanente staff who have a
'genuine business need.' "

Anna-Lisa Silvestre, director of the Web site, Kaiser Permanente Online,
said company officials have attempted to phone each of the members whose
e-mails were misdirected. Last night, 687 members had been reached, she
said. "We apologized to every single person we called," she said.

Most of the customers were "very gracious," Hayon said. "They understand
technology is not a perfect field. Naturally, some were angry."

The problem began late on the afternoon of Aug. 2, Hayon said, when the
technician began sending out hundreds of e-mails that had backlogged while
he was upgrading the company's technical system.

"Twenty minutes after sending them, he noticed there was something wrong,"
she said. "An awful lot of the e-mails he was sending were very big,"
containing hundreds of messages intended for Kaiser customers. "He
immediately stopped sending the e-mails."

The technician did not notify Kaiser officials of the problem, Hayon said.
But the next morning two Kaiser members--one in the Washington
area--notified the company that they had received other members' e-mails.

Hayon said several of the 19 told Kaiser officials they did not attempt to
read the e-mails. Some immediately deleted the files, she said. Others read
some of the e-mails.

Kaiser, a California-based health maintenance organization, has 8.5 million
customers in 16 states and the District. It has 552,000 members in the
Washington-Baltimore area. About 250,000 customers nationwide use the
"members only" section of Kaiser's Web site, which requires a personal
identification number and account number to enter.

Hayon said Kaiser has made some technological adjustments to its Web site.
"We have fixed the problem," she said. "We have changed protocols for
sending out e-mails. We feel safe saying this particular problem will never
happen again."

© 2000 The Washington Post Company


Errant E-Mails Violate Privacy of Kaiser Members
Janet Wells, Chronicle Staff Writer
Thursday, August 10, 2000
©2000 San Francisco Chronicle

URL:
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/08/10
/MN56245.DTL

Regional -- Kaiser Permanente violated the patient confidentiality of
hundreds of members last week when e-mails containing sensitive medical
information, names and home phone numbers were mistakenly sent to the wrong
people, Kaiser officials disclosed yesterday.

In a glitch that raises privacy concerns, a programming error occurred
August 2 at a Maryland Web site server facility that Kaiser uses for its
online service. Kaiser On-Line lets members ask for medical and
pharmaceutical advice and schedule appointments.

The error affected 858 members before Kaiser's online support crew caught
the mistake and shut down the program. Had the tech workers not spotted the
problem, it could have affected more than 8,000 members who were receiving
e-mail responses at the time.

Kaiser officials spent the past week calling all 858 members and
apologizing, said Kaiser spokeswoman Beverly Hayon.

``Some are upset,'' Hayon said of members' responses. ``The vast majority
have been gracious.''

More than 400 of the misdirected e-mails were intended for Kaiser members in
California, said Hayon, who characterized the error as an isolated incident
that has been rectified.

``What we're talking about is nothing that breached security of Kaiser
On-Line. No hacker, no virus,'' Hayon said.

FUTURE CONCERNS

Privacy experts, however, say the incident raises concerns about the safety
of online medical services -- especially with the health care industry
pushing digital medical care as ``the new frontier'' to cut costs and
improve access, said Earl Lui, senior attorney with the Consumer Advocacy
Organization in San Francisco.

``It's an example of what could go wrong when you rely on technology rather
than people seeing people. This would not have happened if these people had
come in and seen a nurse or called a nurse,'' he said. ``When you lose that
human element, errors like this can happen.''

The error happened while Kaiser -- the nation's second-largest health
insurance plan -- was doing a routine capacity upgrade of the online system,
which is attracting 20,000 new members a month, said Anna- Lisa Silvestre,
director of Kaiser Permanente On-Line.

About 250,000 of Kaiser's 8 million members nationwide have signed up for
the interactive site, which allows free access to health care news and chat
rooms, as well as medical and pharmaceutical advice and appointment clerks.
The site conducts about 8,400 transactions a month, mostly in scheduling
appointments.

A notice on the Web site assures privacy, reading, ``We are dedicated to
keeping your personal health information confidential. We take many
precautions to make sure others can't pretend to be you and get your
confidential information from this Web site.''

However, during the system upgrade, a technical problem occurred that
interrupted delivery of about 8,000 e-mails, Silvestre explained. Since
Kaiser Permanente On-Line has promised to respond to e-mail queries within
24 hours, technicians quickly wrote a program to resend the e-mails. On
August 2, about 20 minutes after the send program was initiated, a
technician noticed an error and stopped the transmission.

WRONG E-MAIL ADDRESS

Kaiser didn't know about the ramifications of the error until the next day
when a member reported that she had received a response to her question --
along with messages intended for several hundred other Kaiser members. The
member was one of 19 people who received 20 to 400 messages not intended for
them.

Kaiser said most of the e-mails were about routine matters. However, at
least one of the e-mails was a response to a member's question about a
sexually transmitted disease, the Washington Post reported.

Kaiser On-Line is conducting a ``root cause analysis'' to determine the
source of the problem, which will help determine procedures to prevent a
similar mistake, Silvestre said.

Because of lower costs, increased accuracy and convenient access to health
care, online medical services are ``the future of health care,'' said Sam
Karp, chief information officer for the California Health Care Foundation,
which funds health care research and did a landmark study on Internet
privacy.

While Kaiser's mistake ``raised an alarm'' concerning security and
safeguards in online health services, Karp praised the HMO as a pioneer in
the industry.

``We're seeing the early pains of a new health care system emerging,'' Karp
said. ``I certainly hope the (Kaiser) incident won't discourage providers
from offering (online services) or consumers from using it.''

Problems with privacy in the health care arena existed ``before we had all
these new technologies,'' said Daniel Zingale, director of the state's new
Department of Managed Care, who also has high hopes for online health
services benefiting the public.

``Privacy is one area of legitimate concern, but it can be addressed,'' he
said. ``It's like the automobile industry. You don't want to stop building
cars because of break-ins -- you want to build them with locks.''

E-mail Janet Wells at wel...@sfgate.com.
©2000 San Francisco Chronicle Page A1


0 new messages