[ Monday, June 20, 2005 ]


Kaiser fined $200,000: I received this in an email today and haven't found an actual news source on it yet (probably will update tomorrow). Anyway, it appears the California Department of Managed Health Care has levied a $200,000 fine in relation to Kaiser's posting of PHI on a fairly obscure web portal. This is apparently the case highlighted by the Diva of Disgruntled. But before you start thinking this is vindication for the Diva, what she did is re-publish the information after Kaiser had removed it from the offending website.

Anyway, here's what I got via email:

> June 20, 2005 (916) 445-7442
> Kaiser Foundation Health Plan Fined by State for Exposing Patient
> Information on Web
> Confidential data was contained on publicly viewable site
> (Sacramento) Following through on a public promise in March, the
> Department of Managed Health Care (DMHC) has completed an
> investigation and fined Kaiser Foundation Health Plan $200,000 for the
> unauthorized disclosure of patient health information, available on a
> potentially accessible Web site for up to four years.
> "Patients must be assured that health plans will, at all costs, do
> everything possible to protect confidential information," said Cindy
> Ehnes, director of the DMHC. "As we work on broadening the use of
> electronic medical records to improve patient care, on both the state
> and federal levels, health plans must make security of confidential
> information a top priority."
> The DMHC investigation determined that Kaiser was responsible for the
> creation of a Web site used as a testing portal by its information
> technology staff. The site contained confidential patient information
> such as names, addresses, phone numbers and lab results. It was set
> up and available for public viewing in 1999 without the prior consent
> of those affected, in direct violation of state law and the plan's own
> privacy policies.
> DMHC officials were concerned that Kaiser allowed the site to languish
> on the Web in an accessible format and did not act to remove it until
> its existence was brought to the attention of federal civil rights
> authorities in January 2005. In addition, Kaiser authorities chose
> not to inform state regulators until after the site had been reported
> to the media in March. However, Kaiser has since informed all of the
> approximately 150 members who may have been affected.
> "Not only was this a grave security breach, Kaiser did not actively
> work to protect patients until after they had been caught,"
> said Ehnes. "We're
> imposing this fine because we consider this act to be irresponsible
> and negligent at the expense of members' privacy and piece of mind."
> Under state law, a health plan can be fined if they violate the
> confidentiality of medical information, without first obtaining the
> individual's authorization.
> In addition to federal Health Insurance Portability and Accountability
> Act
> (HIPAA) laws, state law has its own privacy statutes contained in the
> Civil Code.
> Kaiser officials have until June 25 to present any information to
> dispute the DMHC's findings or the fine will be imposed, and they have
> been cooperating throughout the investigation.
> The California Department of Managed Health Care is the only
> stand-alone watchdog agency in the nation, touching the lives of more
> than 21 million enrollees. The Department has assisted more than
> 633,000 Californians through its 24-hour Help Center to resolve their
> HMO problems, educate consumers on health care rights and
> responsibilities, and work closely with HMO plans to ensure a solvent
> and stable managed health care system.

[UPDATE:] The story is now available here. If that's a registration site, you can get a snippet here too. It looks like Kaiser isn't going to fight the fine, though.

But I don't think this is vindication for Elisa Cooper, the "Diva of Disgruntled."
As I understand it (and I could be wrong, but I think this is pretty accurate), Kaiser set up a beta site to test the structure of its electronic medical records architecture. It populated the beta site with some random data, probably pulled randomly from real medical records in Kaiser's system. Information such as patient names and test results were included, but apparently not social security numbers or the like. The site was accessible from the internet (so that it could be tested by multiple parties to make sure it would work, and to allow Kaiser contractors and others to model off of it), but you would really have to know where you were going to get to it. It was very much a technical site, rather than a pretty graphics and text site like this one. Clearly PHI was included, and Kaiser should have substituted phony names; Kaiser should have been more quick in taking the site down once they knew about it, too. One of the outside contractors Kaiser used, the "Diva," got fired by Kaiser, and tried to use this as leverage against Kaiser to get rehired or be cashed out. She publicized the site and how to access it; apparently, she also copied the information off the site and, even after Kaiser had closed the site down, made the information available on the 'net. I think she may have offered it for sale on Ebay, too. That's when Kaiser sued her. Kaiser may have done wrong in putting the information out where it could be accessed by the public, even though the likelihood of anyone accessing it was awfully remote. But further publication of the information by the Diva did nothing to improve the privacy of the information, and in fact reduced the privacy even more.

[Update 2]: Here's the DMHC website PDF of the press release from above.

Jeff [5:13 PM]

Hi, Jeff -

Funny you should use the word "vindication". Every single person who asked me for a comment yesterday asked me if I felt "vindicated". I think this comes from a fundamental misunderstanding of the problem in the first place. Right now I'm mostly relieved that the DMHC has confirmed I wasn't the one who posted the Systems Diagrams on the web. I've been fending off Kaiser's insinuations that I stole patient data as an employee for three months, and I hope the DMHC's determination will finally put a stop to that.

You're wrong about many aspects of this situation. If you have questions, feel free to ask (kaiser_scapegoat@hotmail.com). My policy has been to offer people all the information I can and not edit anything. Unfortunately, this meant leaving "Diva of Disgruntled" as the title of my blog, even though it encourages assumptions like yours. I felt if I were going to complain about Kaiser's destruction of documents, it would be hypocritical to run around and "clean up" my own history even if it would hurt my legal situation. I'm hoping that what I get in return for my integrity is a fair hearing.

I am a former employee of Kaiser. I lost my job in 2003. I admit to being disgruntled about the circumstances and frustrated about my lack of recourse. I don't want to go into detail here because that happened over a year before I even found the Systems Diagrams. I'm happy to answer any questions about it, if you want to ask. I did not do anything to deserve to be "fired". The Systems Diagrams were not "leverage" for anything. I went through a long dispute resolution process with Kaiser that did indeed contribute to my "disgruntlement", but that was over with 6 months before I found the Systems Diagrams. I had no contact with Kaiser after the dispute resolution process except for the incident which launched my blog.

I'm a pretty mousy person, and putting myself on public display is about the worst experience I could put myself through. However, someone from Kaiser tried to intimidate me. A Kaiser investigator left his card on my doorstep while I was at home to imply he was lurking around outside. The place I live is behind another house, and the mailbox is out on the street. If someone comes back to where my house is, it's only to knock on the door. Once I saw the card, I had to wonder what else the Investigator had done: did he put cameras in my windows? Tap my phone? What else was he capable of?

I don't know who sent the Investigator or why. He may have been a friend of my former manager's rather than someone officially sent by Kaiser to intimidate me. There are a number of things Kaiser could have been responding to. I had filed complaints with a number of agencies, and I had been writing political representatives. I made a business ethics complaint through EthicsPoint.

It's also possible he was responding to the eBay thing, though I think Kaiser would have approached that head on instead of dispatching someone to lurk around my house. The eBay incident was something stupid I did, but it has nothing to do with the Systems Diagrams or patient data. My termination from Kaiser was conducted as a deliberate surprise (because it was illegal), and this left me holding a lot of documents from work. I never had any access to patient data, and the documents are the type everybody has from work. Mostly high level web philosophy stuff. I've seen a couple of them posted on other people's web sites as samples of their work for their resume. One night I saw a news segment about weird items on eBay. I had been through months of an exhausting, futile dispute resolution process with Kaiser, and I was having no luck finding a lawyer or getting a political representative to look at my case. Kaiser had called the last letter of the dispute resolution process "final", and I wanted them to know I was still pursuing it, and I wanted them to know that by covering for my manager they had left me with all these documents (and maybe they'd think twice before doing the same thing to someone else). So my ever-so-brilliant idea was to list a bunch of document titles on eBay, tip my hat at Kaiser and maybe get some attention for my case at the same time (the idea was that a reporter would ask me why I did it, I would tell them about Kaiser destroying all my email to cover up an illegal termination, they would write an article, and that might ultimately get me a lawyer). I listed about 12 titles: I set an outrageously high bid price and emphasized these were beat-up papers with highlighting all over them. I didn't want anyone to actually bid on them. Kaiser noticed, as expected. I got an email with an obvious legal question about document formats. I tipped my hat at them and signed my name. Kaiser blocked the auction as expected. No sympathetic journalist noticed. I didn't do anything further. I never sold anything. No patient data was involved. I didn't post actual documents - just the titles. I didn't run out and try to sell them elsewhere. I just wanted Kaiser to know they left me with all those documents. It's just a stupid thing I did when everything else felt hopeless.

The Investigator thing happened later, so if it was actually an official Kaiser action, it was probably for all the trouble I was causing put together including the above-mentioned eBay incident.

I don't think there are words strong enough to describe how traumatized I was by this. It's really creepy to think some guy may be looking in your windows. *This* is when I started blogging about Kaiser. I'm a pretty mild-manner, docile person. Notice how I pursued Kaiser's own 7-month dispute resolution process before even looking for a lawyer. I also went to the Dept. of Fair Employment and Housing. My instinct is to do things in the lowest profile way possible. However, the Investigator incident was the final straw for me. I'd been wrongfully terminated by Kaiser, trudged through months of "proper channels" , and now I had some Kaiser guy wandering around my house. The police told me they couldn't do anything. I wanted to show Kaiser this was a bad, bad, bad move on their part. The only thing I had, though, was my ability to shout back. Therefore, used my LiveJournal (which I had started about a month before to make anonymous vague philosophical statements about corporate ethics) to start shouting at Kaiser. I also posted some pages from some of the documents I had just to underscore that they had turned me into a loose canon. Once more, no patient data involved.

At this time, I was pretty miserable. As mentioned above, it's not really in my personality to make a spectacle of myself. I was embarrassed and angry that this was the only thing I had left. However, my blog attracted other people who had had similar experiences with Kaiser (mostly in regard to document destruction during arbitration proceedings). They were supportive. One, who became a very good friend, told me I shouldn't be embarrassed be embarrassed about being disgruntled - that I had good reason to be, and that I should own it and be proud of it. That's when I added the "Diva of Disgruntled" tagline to my blog. It was a way I could get reframe my situation and get back some dignity. I was also asked to speak on a local radio show about Kaiser's EMR.

A couple months go by. During this time I help the patient advocacy groups with research, mostly gathering Kaiser-related documents from the Internet. One day I Googled my former manager's name, and I found the Systems Diagrams. I didn't know what to make of them - I thought they might be some sort of honeypot Kaiser put out to attract hackers. This was such a weird discovery that I put more energy into Googling, and I made a second amazing discovery. Part of Kaiser Colorado Intranet was apparently not behind a firewall, because I was getting all sorts of documents related to Kaiser's not-yet-launched Thrive campaign. I handed these over to the person who runs the Kaiser Thrive web site. Because this was such a wild find, the Systems Diagrams were overshadowed. I wanted to report them somewhere instead of just giving them to Kaiser because I had direct, personal experience of Kaiser destroying documents to cover stuff up. I felt that some cosmic force had put the Systems Diagrams in my way to give me a chance to prevent Kaiser from covering this up. It took me a couple of weeks to figure out the Office of Civil Rights was the place to report the Systems Diagrams.

I also told Matthew Holt of the Health Care Blog, and after he discussed the Systems Diagrams, Kaiser took them down. I had taken a copy for evidence, and I felt the sudden and quiet disappearance of the Systems Diagrams confirmed Kaiser had responded by covering their tracks. I had already confirmed that the Systems Diagrams had been on the web for several years via the Internet Archive (the earliest date I saw was 2002, but the DMHC is now saying 1999). I also thought that the main issue was the leak of technical information. I saw a couple of names, but I thought they were probably test data. (Recently when I was combing through the Systems Diagrams for dates to show the site was being maintained and updated after I was no longer working for Kaiser, I found a list of patient Medical Record Numbers - I think this is the "private information" and the source of the 140 figure).

Anyway, I put my copy of the web site up to show the OCR that it was a web site: I really thought the damage had already been done as far as it being on the web, and I planned to take it down after the OCR had a chance to look at it. However, the OCR didn't get back to me for four months. Complete silence. In the meantime I had a medical emergency, and I had to cope with the ramifications of being uninsured. I just forgot about the web site while waiting for the OCR.

The OCR finally got back to me four months later. They asked me about my copy of the web site, and they didn't say anything about taking it down or how long they would need to investigate. A month later I got a generic letter from the OCR saying they had offered Kaiser some "training" in HIPAA. I was astounded. Having worked in that area, I knew Kaiser was well aware of HIPAA and managers in that area wouldn't have "mistakenly" posted anything on the web. I was sure this was posted as a means for technical consultants to communicate with and train each other: and it was on the Internet (a cheesy Tripod web site) because they were communicating with consultants outside Kaiser's Intranet. It was amazing that the OCR fell for some "we didn't know about HIPAA" routine, and I felt Kaiser had lied to the OCR. At that point I griped about the outcome of the investigation on my blog, and I linked to the copy site as proof. Kaiser diddled around for two months, and then they issued a Cease & Desist Order. I thought this was a SLAPP, so I ignored it: if Kaiser wanted me to do anything, they could just ask, and that would give me the opportunity to talk with them about the document destruction issue. I posted my link again to defy the C&D, and I called for people to contact the OCR and demand a real investigation. Kaiser then called 140 patients and told them something to the effect that I had stolen patient data, and I was the one who put it on the web. When a reporter called me, I told her that wasn't true. I told her everything I knew and offered whatever evidnce she wanted. This was the San Jose Mercury News, and she did a pretty good job of checking the facts and getting comments from both sides.

You'd think Kaiser would realize that they had done an evil thing at this point. Instead, they poured on the smear campaign. I took down the copy site once the 140 number hit me - and I thought a public investigation was assured at that point, anyway. Kaiser dragged me into Court for a symbolic Restraining Order. When they didn't get it right away, they went to the DMHC and cried Disgruntled Employee Stole Data! Note the DMHC confirmed they were only told in March 2005 in their Kaiser judgment. The DMHC saw the "Diva of Disgruntled" tagline, and they jumped to conclusions. They issued a press release that corroborated Kaiser's story, and I've been dealing with the fallout ever since.

Kaiser is suing me, but they have no breach of contract claim since I wasn't working for them when I found the Systems Diagrams. The only reason they can keep on litigating is that I'm too poor to afford a lawyer. Because I didn't run and hide "Diva of Disgruntled", I apparently don't have the public sympathy to get a pro bono lawyer. Kaiser can just keep peppering me with paperwork for years. They want me to settle and give them a symbolic victory so they can decrease their liability and make the fact they tried to frame me look like some justified act. As long as they are suing me, their PR people can keep pointing to the suit to show how wrong and bad and disgruntled I am.

I think you don't understand the nature of the site, either. It wasn't a test app. It was training documentation. It contained a lot of systems diagrams, screenshots, and even some code. The patient data is in the screen shots and some generated output lists. Some of the screenshots have personal information like addresses, and perhaps social security numbers (I'm not going to go check). The big list is the one with Kaiser Medical Record Numbers (MRNs). I don't think there is much, if any, really personal health information: Kaiser exaggerated this to get the restraining order when they thought they were going to pin it on me.

I would like to mention the DMHC never apologized for what they did to me. Instead they offered a quiet settlement in which they would "revise" the original Order. I signed this settlement on April 15, and I will show it to you if you want. The DMHC broke the settlement when I complained they had slipped extra language back in. They probably attempted to do that because in the settlement the DMHC claims the authority to deem linking to public web sites injurious. The DMHC didn't have jurisdiction over a private citizen in the first place. To abet Kaiser in an "unclean hands" act against me and then to break a settlement in which I was allowing them to quietly save face - that's all just an outrageous tyranny of the State. The Kaiser fine probably reflects the DMHC's frustration at being put in that position. The good news is since the DMHC's decision clears me of being a rogue employee data bandit, the patient advocacy groups I was working with will now be able to admit to knowing me in public without hurting their cause, and with their help I might be able to get some legal help.

As for "further publication of the information" I hope you will keep in mind that I didn't know I was perpetuating a lot of patient data. I thought I was preserving the evidence of a leak of technical information. I had a First Amendment right to point it out once that information had been put out in public by Kaiser. Moreover, that data was on the Internet since 1999. It would still be there today, if I hadn't pointed it out. The patients would never have been informed if I hadn't resisted the C&D Order. Kaiser missed several chances to do that (for instance, Sept. 2004 and January 2005). If that patient data had been previously misused in any way, no one would have known where it was coming from. The OCR didn't inform the patients, either. It was only my determination to keep Kaiser from covering something up that led to a real outside investigation.

Your summary of my situation contains a number of inaccuracies, which helps Kaiser spread its various character smears. You could have come to me and asked for my version of events. I've left comments on your blog before, too. I hope that you will ask me for more information if you have any questions.
ps. my email is kaiser_scapegoat@hotmail.com
Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template