HIPAA

Yesterday, the Californial Department of Managed Healthcare (CDMH)
fined Kaiser Permanente $200,000 for an unlawful disclosure of patient
information on the Internet (CDMH press release here). Kaiser was fined for not reporting this disclosure to the CDMH.

DMHC officials were concerned that Kaiser allowed the site to
languish on the Web in an accessible format and did not act to remove
it until its existence was brought to the attention of federal civil
rights authorities in January 2005. In addition, Kaiser authorities
chose not to inform state regulators until after the site had been
reported to the media in March. However, Kaiser has since informed all
of the approximately 150 members who may have been affected.

The breach was caused by a contractor who left database schemas
of Kaiser's Health Connect project on an open web site
some time between 2002 and 2004. Somewhere in those charts, were
patient records on 150
of Kaiser's patients. These "left overs" were discovered by Elisa
Cooper, a recently terminated Kaiser employee, who blew the whistle on
Kaiser. You can see Elisa's survey of this news, along with her
comments, on her blog.

You can get more details at The Health Care Blog, and the HIPAA Blog.