Business
California court orders medical records unlinked from blog
■ A former Kaiser employee was told to stop posting patient information online, information she said the company failed to secure.
By Tyler Chin — Posted May 2, 2005
- WITH THIS STORY:
- » Related content
A California state court has issued a preliminary injunction ordering a former Kaiser Permanente employee to stop directing visitors to her Internet blog to other Web sites containing patient information that the health plan itself had inadvertently posted online.
On March 23, Superior Court of the State of California Judge James Richman granted the Oakland, Calif.-based HMO's request for an injunction against Elisa D. Cooper, who calls herself the "Diva of Disgruntled" on her online journal (link).
Cooper had posted links on her blog to three other Web sites that had the names, addresses, telephone numbers, medical record numbers, and in some cases, laboratory test results belonging to approximately 140 Kaiser health plan members, according to the lawsuit Kaiser filed last month against her. Kaiser had the sites taken down last month before the injunction was imposed on Cooper.
The HMO is suing Cooper for invasion of privacy and violating the confidentiality agreement she signed when she was hired in January 2003 to work as a Web site coordinator at The Permanente Medical Group Inc.
Cooper, whom Kaiser fired in June 2003, wrote in an e-mail to AMNews that she posted the information to call public attention to the "incredible security bungle" Kaiser had committed by posting diagrams of its information systems online. "Until [the week of March 14], I thought the main issue was that sensitive technical diagrams had been leaked onto the Internet," she wrote. Her blog, as of late April, still was active, though the personal information has been removed.
Cooper also filed a complaint with the Health and Human Services' Office for Civil Rights, alleging that Kaiser had violated the federal medical records privacy rule known as HIPAA, the Health Insurance Portability and Accountability Act of 1996.
The HMO first became aware of the issue when it was contacted in January by the Office for Civil Rights, which enforces the privacy rule, said Matthew Schiffgens, a Kaiser spokesman. Over the course of its investigation, Kaiser learned about Cooper's blog and in March "we contacted all the affected [HMO] members to let them know what has occurred and what we're trying to do in order to bring this matter to a resolution," Schiffgens said.
It wasn't until late last month that Kaiser determined it had inadvertently posted patient data on "an unpublished Web site that was there expressly for the use of information technology people in terms of supporting their work," Schiffgens said. "You would have had to know it was there [to find it]. All the information that was on it is now behind the firewall and password-protected."
Meanwhile, Kaiser is pressing its lawsuit against Cooper. As far as it knows, "we are not presently subject to an investigation or action by the Office for Civil Rights at this point," Schiffgens said. "We have been and continue to be in discussions with them."
As a matter of policy, the Office for Civil Rights doesn't comment whether or not there is an investigation, said spokesman William Pierce.