Kaiser Foundation Health Plan


Under Review: 
No Review
Date Breach Made Public: 
March 19, 2012
geo: 
Oakland , CA
United States
Records Breached: 

30,000

Breach Total Number: 
30 000
Source: 
California Attorney General
Year of Breach: 
Type of organization: 
Type of breach: 

Someone purchased a hard drive in September of 2011 and immediately notified law enforcement that it contained confidential information.  The external hard drive did not come from a Kaiser Permanente office.  It contained employee data that was as recent as 2009.  Current and former employees may have had their names, Social Security numbers, dates of birth, and addresses exposed. There is no evidence that the information from the hard drive was used for illegal purposes as of March of 2012.

UPDATE (3/22/2012): The external hard drive was purchased at a thrift store.  Phone numbers, pay stubs, COBRA Error, Trust Fund Paid Hours, or Fidelity Savings Plan Deduction reports may have also been on the hard drive.

UPDATE (4/16/2012): At least one source lists the total number of affected current and former employees as 30,000.

UPDATE (2/4/2014): Attorney General Kamala Harris has agreed to drop a data breach lawsuit against the Oakland based managed care provider, Kaiser, if they agreed to a $150,000 fine paid to the state and improved their information handling practices.

Originally the suite contended that the health care provider violated the three-month notification law. Kaiser learned of the violation in December 2011 but did not send letters to 20,539 affected Californians until mid-March 2012. The law requires data-holders disclose any breach "in the most expedient time possible and without unreasonable delay".