Privacy24 Jun 2005 02:32 pm
Privacy Snafu Costs Kaiser $200k
The San Jose Mercury News has reported that the California Department of Managed Care has levied its largest privacy fine ever — $200,000 — against Kaiser Permanente of Northern California.
The California agency found that Kaiser had left sensitive patient information accessible on a public website. The information, including names, addresses, phone numbers, and lab results, has been accessible “for up to four years.” The breach was finally made public by a disgruntled former employee who blew the whistle by linking to the data on her online blog.
As you could probably guess, Kaiser is now suing the the former employee for publicizing the privacy breach.
June 25th, 2005 at 9:57 pm
Kaiser allowed health information about their patients to be available to any insurance company which could adversely affect their health or life insurance. This is a serious breach of confidence in an age when any ailment enables an insurance company to refuse or drop coverage to people who are under-insured as it is.
The former employee’s reason for blowing the whistle is possibly a personal one, and not simply concern about patients’ health privacy, but I commend her for making the information public…at last. Kaiser would not have notified the patients of their own lax in judgement regarding disclosing information. Those people could be unaware of what their neighbor knows about them. Also, imagine how horrible it would be for one’s co-workers to know that they had STD’s or an abortion. Talk about airing one dirty laundry and too much information!
Kaiser’s negligence should be upheld over any lawsuit they may have with her. I give her my support!
September 25th, 2005 at 12:32 am
I try to keep track of places where the Kaiser situation is discussed, and I just found this. I’m the whistleblower in question.
First to Lori: thanks for realizing the issue for me is that Kaiser would have covered it up. I did have personal reasons as well, but even the personal reasons relate to experience with Kaiser destroying evidence.
Second to Ray: I wanted to clarify the timing of the lawsuit. The lawsuit was fired in March. Here’s the timing:
Late Aug. 2004 - I file the complaint with the OCR.
January 2004 - OCR contacts Kaiser. I get a letter from the OCR that indicates there was no problem, and they do not say anything to me about taking down my links, etc.
March 2004 - Kaiser issues Cease & Desist Notice. I assume it’s a SLAPP (California legal term referring to invoking lawyers to limit free speech), and Kaiser’s doing damage control over the technical information contained in the web site. I don’t find out about the 140 people until a reporter calls me to tell me that Kaiser has called 140 people, and Kaiser is trying to frame me for posting the site. I stopped linking to the site at that point - so keep in mind that there was nothing for Kaiser to “make” me do with their lawsuit. It’s all PR.
March 2004 - Kaiser asks for a restraining order. The Judge doesn’t give it to them like they expected. Kaiser panics. Kaiser files the lawsuit and gets the CA Dept. of Managed Healthcare to file an alternative version of a restraining order, telling them that the evil disgruntled employee posted patient info on the web. Thanks to the DMHC involvement, which didn’t even have jurisdiction over private citizens, the Kaiser’s depiction of me as someone who had stolen the patient info and was rampantly posting it in revenge spread far and wide. I’m still working to try to clean some of this up.
April 2004 - When I protest what the DMHC did and demand a hearing, they invite me to a “pre-Hearing conference” and propose a quick settlement. I agree because I have my hands full with Kaiser’s lawsuit and no lawyer. The boss of the DMHC was apparently not happy with the settlement I signed because they slipped in some extra language and claimed they could add anything that “didn’t come up” during the conference. Because I dared to complain, they didn’t post the settlement on their web site for months. When they finally posted it, they posted their version, not the one I signed. Plus they appended it behind the original version instead of replacing it. I’ve complained to the Bureau of State Audits about what the DMHC did to me. I’m sure in the end everyone is just going to shrug off that the DMHC spread a lie about me and left that lie posted for months.
Meanwhile - the Kaiser lawsuit. I didn’t have a lawyer, had no experience with the Court system, and have no financial resources. During the first hearing I faxed my opposition papers (i.e. my side of the story). Something went wrong technically on the Court side (they didn’t notify me until after the Hearing). That means the Judge didn’t hear my side of the story. He came in with a lot of assumptions based on what Kaiser’s papers said. Kaiser’s strategy has been basically to throw out all sorts of lies, including perjury in the sworn statements, to see if I give them any information when I protest. They need this because they have no actual legal case. They brought the lawsuit for breach of contract, but I could prove I found Kaiser’s web site over a year after I had lost my job with them, so breach of contract didn’t apply. So Kaiser has just been snippeting everything I say to make me sound like a “disgruntled” person who is the type to do bad things. Anyway, at the initial Hearing the Judge didn’t get crucial points, like I had no way of psychically knowing about the 140 people, and he gave me a preliminary Injunction.
The minute Kaiser got the Preliminary Injunction, they waved it before the press and used it to “prove” that I was the public’s nightmare of a disgruntled employee stealing patient info, etc. I tried twice to bring my own motion to get the Judge to hear my side of the story, but I have no legal training, and both times the Judge wouldn’t hear me because of a technicality.
It was around the time of my second attempt to get a Hearing that the DMHC concluded its investigation of Kaiser and levied the $200,000 fine. That at least confirmed that Kaiser had posted the web site and it had been public for years. Kaiser claimed it was some sort of “test portal”, but that’s complete bull. There’s no reason to “test” on a free Tripod web site. This was just a stupid way that some project managers decided to communicate with consultants.
Despite the DMHC fine, I still come up as an example of malicious identity theft in all sorts of presentations and articles because people don’t really do thorough research.
The situation is beginning to look better for me because I now have a pro bono lawyer. Hopefully he can bring things to a close pretty quickly.
The most complicated aspect of this is that I am a disgruntled ex-employee. I was treated badly by Kaiser, and I have a lot to be angry about. However, I wasn’t employed by Kaiser when I found the Systems Diagrams. I found them as a private citizen. The only relation my former employment with Kaiser had to do with this is that Kaiser’s treatment of me determined the way I would look at the Systems Diagrams: as evidence to be protected. I did my best to prevent Kaiser from covering it up. I wish people didn’t feel like evaluating my character is the important thing here, because the real important thing is Kaiser had this public web site up for four or five years, and they used every sleazy tactic in the book to distract from that - at the expense of someone who they had already done a lot of damage to.
The weird thing is that this situation led me to interact with a lot of entities besides Kaiser, and the entire experience has confirmed my worst fears about the world:
1) The press gets things wrong. A lot. NBC local news actually makes up stories by splicing clips with new questions. It’s almost impossible to get corrections, and no one reads the corrections anyway.
2) State agencies, such as the DMHC, can attack private citizens, and they don’t have to apologize for any damage done. And they can ignore a settlement if you don’t have a lawyer.
3)Both State and Federal agencies investigate by reading newspaper articles, and they don’t bother to ask you what happened or for your evidence. This is a problem when the press is going for the simplest story and often gets things wrong.
4) Senators also develop their opinion from the press. Diane Feinstein changed her mind about helping me because Kaiser succeeded in positioning me on the wrong side of the privacy issue she was championing. She denied sending me an original helpful letter with the statement “most identity theft is committed by employees”. Therefore, she was lumping me in with “identity theft” whether I was guilty of that or not. Thank you, Diane Feinstein, for proving Appearances really are everything.
5) There is nothing about justice in the current legal system. It’s totally stacked against poor people. I have to bear the financial burden of the process (keep in mind I have no income) just to maintain my rights. This boils down to rich people being able to buy the outcome if they know their opponent doesn’t have the financial means to hang in there. I just to think that either the Judge or some benevolent aspect of the proces works to prevent this, but now I know they don’t.
6) No one will notice that you did the right thing on your own accord if a corporate PR department keeps shouting that they had to go to Court to “make” you stop. I’m not anti-privacy. I just look that way because Kaiser is claiming to be pro-privacy and making a big show of attacking me.
Because I didn’t have the right legal help up front, I’ve tried to handle all this by being as open as possible and answering anybody’s questions. Feel free to email me if you have some. kaiserscapegoat (at) hotmail.com
And Lori - your words of support mean a lot to me. Thank you. :-)