State and federal officials are investigating whether Kaiser Permanente violated patient privacy rules through its work with Sure File Filing Systems, which stored nearly 300,000 confidential health records for the company, the Los Angeles Times reports.
According to Kaiser, the small document storage firm -- run by Stephan and Liza Dean -- was hired to organize and move thousands of paper records when Kaiser acquired the Moreno Valley Community Hospital in 2008.
In August 2008, the Deans moved the files from Moreno Valley to a warehouse in Indio, which they shared with another man's party rental business.
Emails Contained Patient Data
According to emails sent by Kaiser to Sure File, hospital clerks routinely messaged the Deans and asked them to pull records on specific patients. Stephan Dean said some emails from Kaiser employees contained patients':
- Full names;
- Dates of birth;
- Physicians' names;
- Social Security numbers; and
- Treatment dates.
Until this week, the Deans had such information stored on their home computers, according to the Times.
Stephan Dean said Kaiser showed little concern for the security of patient data when they sent the email requests. According to Dean, only one out of more than 600 emails from Kaiser had password protection with encryption.
In October 2012, Kaiser sued the Deans in Riverside County Superior Court for allegedly violating their contract by not returning all patient information when Kaiser picked up the paper records two years ago.
According to the allegations, the Deans put electronic patient data at risk by leaving two computer hard drives in their personal garage with the door open.
At one point, Stephan Dean said he was planning to contact patients about the whereabouts of their electronic medical data because he did not believe that Kaiser had taken proper security precautions.
In response, Kaiser sought a temporary restraining order to block the Deans from disclosing confidential information. A Superior Court judge granted the request until Thursday, when the court will hold another hearing.
Comments from Kaiser, Deans
Kaiser said that it is confident that the electronic patient data in question were not disclosed or accessed inappropriately. The company said that its "vendors are contractually required to maintain secure environments for all records, and this includes Sure File."
Stephan Dean said, "We could have sold [Kaiser's] emails to somebody in Nigeria, but Kaiser doesn't care about its patients' information."
Details of Investigations
The California Department of Public Health already has determined that Kaiser "failed to safeguard all patients' medical records" by allowing the Deans to manage certain files for about seven months without a contract.
DPH said it is awaiting more information from Kaiser on its "plan of correction" before assigning any penalties.
According to HHS letters, the agency began investigating Kaiser last year after receiving a complaint from the Deans about the health system's treatment of patient data.
Kaiser officials said the organization has not been contacted by federal officials.
HHS declined to comment on the matter (Terhune, Los Angeles Times, 1/5).