Kaiser Foundation Health Plan of the Mid-Atlantic States, Inc. has reported that it discovered unauthorized access to its electronic health record system that may have disclosed patient information for more than 8,500 individuals.
“On September 21, 2022, Kaiser Permanente determined that one of its employees inappropriately accessed portions of medical records for patients in the Mid-Atlantic region without a reasonable basis.
“An investigation determined that the former employee’s access was outside the scope of their permissible job functions,” according to the announcement the healthcare provider posted to its website.
While no social security numbers or financial information were involved in this incident there is no evidence that the accessed information – patient demographics and medical information, including photos – were shared or used to commit fraud, the company said in the statement.
After an internal investigation, the employee is no longer working for the company.
In addition to reporting unauthorized access to federal agencies, the company says it is reviewing policies governing access to patient medical records and has sent letters to affected patients.
Earlier this year, the Health Sector Cybersecurity Coordination Center published a threat briefing on the potential cybersecurity risks of EHRs ranging from phishing attacks, malware and overlooked gaps in encryption to cloud threats and employees.
“Healthcare leaders should understand where operational vulnerabilities exist in their organization, from marketing all the way down to critical health records,” said the U.S. Department of Health and Human Services’ cyber agency.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS publication.