Kaiser fined $450,000 after mailing California patients’ health info to outdated addresses

Cathie Anderson
·2 min read

The California Department of Managed Care announced Thursday that Kaiser Permanente agreed to pay a $450,000 fine because it used potentially outdated addresses when it sent out mailings containing confidential information to thousands of patients.

The agency said the Oakland-based health care giant issued 337,755 mailings that had health information on 167,095 enrollees between October 2019 and December 2019. Kaiser said it could not be sure the intended recipients received the packets because there was an error in updating its electronic medical record during the period.

“Health plans must protect the confidentiality of enrollee records and maintain and dispose of medical information correctly,” said DMHC Director Mary Watanabe. “Kaiser Permanente agreed to take corrective actions to protect consumers confidential information and ensure this doesn’t happen again.”

None of these mailings contained social security numbers or financial information, Kaiser officials told The Sacramento Bee in a statement issued Thursday.

“Kaiser Permanente takes the protection of our members’ personal and health information seriously and continuously works to safeguard data,” company officials said in the statement. “Upon learning of the error, we immediately corrected our systems and future mailings. At this point, all necessary corrective action has been completed.”

DMHC officials said that 1,788 of the mailings were returned to Kaiser unopened but that eight recipients contacted the plan and reported opening the mailings before seeing that they were not intended for them. Due to the plan’s system error, DMHC officials said, thousands of mailings could have been viewed by unauthorized persons.

As part of the corrective action plan, Kaiser had to notify enrollees who were affected and confirm they had accurate addresses for them, update its membership software systems and check periodically to confirm address changes are kept in sync. The company also conducted refresher training for staff on the Health Insurance Portability and Accountability Act standards on protecting sensitive health information.

The data breach violated California’s Confidentiality of Medical Information Act in two ways, DMHC officials said: The company disclosed medical information to people unauthorized to see it, and it showed negligence in how it maintained the information.

If health plan enrollees suspect unauthorized disclosure of their medical information or have other issues, they can file a grievance or appeal with the plan, DMHC officials said. If the offered resolution does not satisfy the customer or if there’s no response after 30 days, they said, consumers can file a complaint with the DMHC Help Desk by calling 888-466-2219 or filling out a form at HealthHelp.ca.gov.