Black doctor using computer in hospital

Email compromise leads to healthcare data breach at Kaiser Permanente

At least 69,000 people have been impacted by a data breachat Kaiser Permanente, a long-running managed healthcare consortium.

The latest in a long-running series of healthcare attacks, the road to stolen data began on April 5 this year with an email compromise.

The direct path to data

A “substitute breach notice” posted June 3 revealed details of the attack. Those directly impacted were notified separately. As Kaiser Permanente do not have everyone’s addresses on file, this breach noticewas released to help spread the word.

It begins:

On April 5, 2022, Kaiser Permanente discovered that an unauthorized party gained access to an employee’s emails. We terminated the unauthorized access within hours after it began and promptly commenced an investigation to determine the scope of the incident.

We have determined that protected health information was contained in the emails and, while we have no indication that the information was accessed by the unauthorized party, we are unable to completely rule out the possibility. 

Unfortunately a few hours was all it took to grab details affecting the 69k or so patients mentioned above. Data exposed includes:

  • First and last name of patients
  • Dates of service
  • Medical records
  • Lab test result information

The attacker did not have access to credit card details and social security numbers. This is good news for those affected.

Did the attackers target one employee?

It’s not every day you manage to compromise an account with access to so much data. The big question is whether or not this haul was the result of accident or design. From the breach notice:

After discovering the event, we quickly took steps to terminate the unauthorized party’s access to the employee’s emails. This included resetting the employee’s password for the email account where unauthorized activity was detected. The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future.

“Additional training on safe email practices” could mean one of many things. Perhaps the attackers got lucky off the back of a mass-mail phish attempt. Maybe they dredged up specific background information on the affected employee via social networking, LinkedIn, or even the company website. This attack may reveal itself to be something as basic as an easy to guess password.

The lurking menace of social engineering

There’s also another issue: data stolen in breaches like this can be used for future social engineering attacks. As the breach notice notes:

We do not have any evidence of identity theft or misuse of protected health information as a result of this incident. However, we take this incident seriously, and this notice provides details of the incident and our response. 

Three months from breach to notification is still better than no notification. All the same: would anyone really know if these attacks have already been attempted?

Healthcare attacks: big business for fraudsters

This certainly isn’t the only healthcare breach in the news, with fresh attacks and even multiple breachesat some unfortunate organisations. The cost of a healthcare breach in 2021 was estimated to be $9.23m a year—a $2m increase over 2020. Even healthcare software and billing services are coming under attackfrom criminals.

Locking down networks and business practices of healthcare providers and those in their orbit has never been more important. The risk to patients, the business, and their finances are simply too great to ignore.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.