YOU ARE HERE: LAT HomeCollections
(Page 2 of 2)

Vast cache of Kaiser patient details was kept in private home

The case of Kaiser and Sure File Filing Systems underscores how patient information remains vulnerable in the hands of healthcare providers and outside contractors.

January 05, 2013|By Chad Terhune, Los Angeles Times

In August 2008, the Deans started packing up thousands of files from Moreno Valley and moving them to the warehouse in Indio.

Hospital clerks routinely messaged Dean asking him to pull records on specific patients, emails sent by Kaiser to Sure File show. Dean said some Kaiser employees would put the patient's full name in the subject line of the email, and other messages listed the patient's Social Security number, date of birth, doctors' names and treatment dates. One message started, "Good Morning Sure File," and requested adoption records for a child.

Dean said Kaiser showed little concern for patient privacy in handling those requests. Only one out of more than 600 emails from Kaiser was password-protected with encryption, he said. Many medical providers use such technology so information isn't visible to others.

"Every one of these records is somebody's life," Dean said recently, scrolling quickly through what he said was Kaiser information on his computer screen. "We could have sold these emails to somebody in Nigeria, but Kaiser doesn't care about its patients' information."

Kaiser said that government rules don't require encryption and that "our vendors are contractually required to maintain secure environments for all records, and this includes Sure File."

The healthcare company awarded another job to Sure File in January 2010: to "deactivate" and store about 345,000 records from its West Los Angeles Medical Center for $206,000, according to Kaiser documents.

But within a few weeks, Dean said, he stopped working because he didn't have a contract yet for the West Los Angeles work. The two sides reached an accord in March 2010, and in a letter that month a Kaiser purchasing manager apologized to Dean for the confusion.

"We should have signed a contract prior to the commencement of this project," the manager wrote.

Three months later, in June 2010, Dean said, he stopped working for Kaiser again. This time, he said, he could no longer afford the insurance on the warehouse and $1,500 a month for gas for his file deliveries to Kaiser.

By July 2010, Kaiser had terminated the Deans' contract and picked up the medical records from the Indio warehouse, court files show.

The two sides signed an agreement in March 2011 to resolve their differences and Kaiser paid $110,000 to Dean, according to court documents. In its lawsuit, Kaiser said Dean was required to return or destroy "all the protected information of Kaiser members" as part of their agreements.

Dean says those agreements covered only the return of paper records. On New Year's Eve, Dean said, he deleted the Kaiser emails and other patient information on the two hard drives.

Kaiser said "this is a positive step, although based on [Dean's] behavior we will be seeking independent verification of his promised performance." In court filings, the company said it had sought access to his computers and email account for inspection by a forensic consultant.

Dean said he offered to grant that access — if the company paid him $100,000. Kaiser said it already had fully compensated the Deans, paying them about $500,000 in all.

"Kaiser created this mess and I want to make sure patients are notified properly if someone hacked into their information," Dean said. "We've had all sorts of viruses on our computer."

Los Angeles Times Articles