System Update Error Triggered the Mailing of 337,747 Letters to Old Addresses
State regulators have fined health plan Kaiser Permanente $450,000 for a mailing mishap that sent private health records to the outdated addresses of more than 300,000 patients. The erroneous mailing was triggered by a technical update of the health plan’s electronic health records system.
The California Department of Managed Health Care last week levied the fine against the Kaiser Foundation Health Plan for the mailing blunder, citing two types of violations of the state’s Confidentiality of Medical Information Act – unauthorized disclosure of medical information and the negligent maintenance or disposal of medical information.
The state agency said that in fall 2019, Kaiser set out to update its electronic health record system for clinical services supporting its 4.3 million Southern California enrollees, to set up separate physical and mailing addresses.
But an error in the Kaiser Permanente EHR system update caused nearly 338,000 mailings containing confidential protected health information to be mailed to the former addresses of 167,095 enrollees over a 75-day period, from Oct. 6 to Dec. 20, 2019.
DMHC said Kaiser had discovered in November 2019 that 644,000 potentially out-of-date enrollee addresses had been imported into Kaiser’s EHR system from its membership system, Foundation Systems, the state said.
But regulators said that after discovering the error, the system continued to mail additional materials containing PHI to enrollees’ former addresses until the last mailing on Dec. 20, 2019.
“Kaiser knew of the electronics error and data breach on Nov. 11, 2019, but did not stop the mailings to former addresses until Dec. 20, 2019, 39 days later, allowing another 175,000 pieces of potentially misdirected correspondence to go out,” DMHC said.
The state said 1,788 of the mailings were returned unopened and that eight recipients contacted Kaiser Permanente to inform the health plan that they had opened mail not intended for them.
That left 335,959 mailings unaccounted for, the state said. “The health plan asserted it could not otherwise trace where these mailings ended up or confirm whether an unintended recipient viewed them,” the state agency said.
“Health plans must protect the confidentiality of enrollee records and maintain and dispose of medical information correctly,” said California DMHC Director Mary Watanabe in a statement.
In addition to paying the monetary fine, Kaiser Permanente has agreed to implement a corrective action plan to prevent similar incidents involving enrollees’ protected health information.
The plan includes Kaiser Permanente notifying enrollees affected by the incident and confirming accurate addresses, updating the plan’s membership software systems and periodically checking and confirming that physical and mailing address changes are kept in sync, the state agency said.
Kaiser Permanente also agreed to work with its call center employees to confirm enrollee address information, and the health plan is providing refresher HIPAA training for staff.
Kaiser Permanente reported the incident to the U.S. Department of Health and Human Services in February 2020 as an unauthorized access/disclosure breach involving paper/films and affecting 167,095 individuals.
None of the mailings included Social Security numbers or financial information, Kaiser Permanente told Information Security Media Group. “Upon learning of the error, we immediately corrected our systems and future mailings. At this point, all necessary corrective action has been completed,” the health plan said.
Kaiser Permanente is not the first healthcare sector entity – or health plan – to report a serious data privacy breach involving a mailing mistake that resulted in a hefty regulatory fine.
A 2017 mailing mishap by a third-party firm cost health insurer Aetna more than $20 million, including fines from several state attorneys general and a class action lawsuit settlement (see: Aetna Fined Yet Again for Exposing HIV Information).
Aetna hired a vendor to mail out letters to about 12,000 of its health plan members in several states to inform them of the new options for filling their HIV prescriptions. But the members’ HIV drug information was potentially visible through that mailing’s envelopes, which had transparent windows.
Aetna needed to send those 2017 letters because of an earlier privacy dispute that involved another mailing mistake. In 2014, Aetna settled a class action lawsuit in which attorneys for plaintiffs argued that Aetna’s policy at the time, which required patients to fill HIV prescription drugs by mail order, left the privacy of patients’ HIV status vulnerable to exposure to family, neighbors and others (see: Yet Another Twist in Messy Aetna Privacy Breach Case).