More than 38,000 Colorado patients of Kaiser Permanente may be at risk for identity theft, after a laptop containing their personal data was stolen from a Kaiser employee in Oakland, California, the company said.
The theft took place on Oct. 4th, and the missing laptop contained such information as names, ages, gender, and medical record data.
Kaiser spokeswoman Jacque Montgomery said that no Social Security numbers were included in the data.
Without explaining how they could read the minds of the thieves, both Montgomery and Kerry Kohnen, Kaiser's vice president of business operations, claimed that the laptop was stolen for its "street value," not for the data contained within it.
The data was part of an "internal health review project," and was password-protected, according to Kohnen. The project centered on two offices in the Colorado area.
Kohnen also admitted that Kaiser employees take their work home with them often, and that the unidentified employee who had the laptop is no longer with the company.
No explanation was provided as to why there were not stronger protections on the laptop, or why it took so long to notify affected patients.
Even without Social Security numbers, the patient information could be used for all manner of fraud, ranging from credit card fraud to medical identity theft.
Kaiser's Keystone Kops
This is not the first time Kaiser patients have been put at risk thanks to a data breach.
In July, another laptop was stolen from Kaiser offices in the Northern California area. This one contained data on 160,000 members who were targeted for hearing aid services marketing.
Then, as now, the company and Oakland police said, without offering any supporting evidence, that the theft was for the laptop, not the data within it, and that it was password-protected.
California's Department of Managed Health Care (DMHC) fined Kaiser $200,000 last year for creating a Web site that exposed the personal information of 150 people for nearly four years. The DMHC charged that Kaiser had failed to remove the data until the breach was brought to the attention of federal and state authorities.
Elisa Cooper, a former Webmaster for Kaiser, blew the whistle on the Web site breach by bringing it to the attention of federal regulators.
Cooper was sued by Kaiser for what they called "breach of contract." Cooper claimed that Kaiser was setting her up to take the fall for their own inattention to patients' privacy.
Cooper currently keeps a running tally of mishaps and mismanagement perpetrated by Kaiser on her blog. Commenting on the latest laptop theft, she said "Who knows how many times this happened before the HIPAA-enforcers started obliging Kaiser to come clean?"
