The Health and personal data of around 70,000 Kaiser Permanente patients in Washington state have been stolen as hackers accessed the U.S. healthcare giant’s email system.

The data breach, which happened in early April, jeopardised the patient’s first and last name,  medical record number, dates of service, and laboratory test result information of the health plan provider.

According to the healthcare provider, the breach did not expose financially sensitive information (Social Security numbers and credit card numbers).

The healthcare giant issued a breach notice (PDF) which assured the affected members that the attack was quickly contained. 

The organization said:

On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident.

We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility.

Although nothing suggests identity theft or misuse of protected health information as a result of the security breach, Kaiser Permanente has advised affected parties to be on the lookout for potential fraud.

In response to the incident, Kaiser said it promptly reset the employee’s password for the email account where unauthorized activity was detected.

“The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future,” Kaiser Permanente concluded.

The Daily Swig asked Kaiser to confirm that only one of its email accounts was affected by the breach and invited it to explain the root cause of the incident.