Private Patient Data Posted Online Blog by Disgruntled Former Kaiser Employee

Today I read an article (see below) from the iHealthBeat newsletter reporting on an article which appeared in the March 11, 2005, San Jose Mercury News. This will be the 3rd well published breach of private data in as many weeks (see my post on ChoicePoint and Lexis-Nexis). This is also interesting because it involves blogging and employee issues which is the topic of much debate these days due to some other recent high profile cases.

Based on the comments in the article it appears that a privacy related complaint under the Privacy Rule created under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was filed either by one of the parties involved or the blogger and former employee herself since the Office of Civil Rights is now involved and investigating. The article points out that the former employee may face significant fines and penalties, however the article does not point out that the health care provider responsible for complying with the HIPAA mandates may also face such charges.

I did some quick Googling and seemed to come across the blog of "Diva of Disgruntled" which is interestingly titled "Corporate Ethics". The blog contains a recent post today in response to the news break on the matter.

It will be interesting to watch this one unwind.

Following is the iHealthBeat article:

Kaiser Permanente is alerting 140 patients in Northern California that a disgruntled former employee posted private information about them on her blog, the San Jose Mercury News reports. The information includes medical record numbers, patient names and information about some routine lab tests, but not the test results. Kaiser in January learned of the breach from the federal Office of Civil Rights and has been investigating the issue since then, said Kaiser spokesperson Matthew Schiffgens. However, Schiffgens said Kaiser on Wednesday asked the Internet service provider hosting the blog to remove the data, the Mercury News reports. The former employee, who calls herself the "Diva of Disgruntled," said that the company posted the patient information on an unsecured Web site and that Kaiser took it down only after she pointed it out, the Mercury News reports. She said she reposted the information to another site to illustrate how easy it was for someone to access the information, which she said had been on the Internet for a year. She said she also filed a complaint with the federal Office of Civil Rights. Schiffgens said Kaiser has been unable to confirm the woman's claims that it posted private patient data, but he said the woman still breached her obligation to protect member confidentiality by posting the information herself. Schiffgens said Kaiser might take legal action against the woman, the Mercury News reports. Under HIPAA rules, she could face fines of up to $250,000 and 10 years in prison for unlawfully disclosing patient data (Feder Ostrov, San Jose Mercury News, 3/11).