Case 17: Breaching the Security of an Internet Patient Portal

Kaiser Permanente is an integrated health delivery system that serves more than eight million members in nine states and the District of Columbia. In the late 1990s, Kaiser Permanente introduced an Internet patient portal, Kaiser Permanente Online (also known as KP Online). Members can use KP Online to request appointments, request prescription refills, obtain health care service information, seek clinical advice, and participate in patient forums.

Information Systems Challenge

In August, there was a serious breach in the security of the KP Online pharmacy refill application. Programmers wrote a flawed script that actually concatenated over eight hundred individual e-mail messages containing individually identifiable patient information, instead of separating them as intended. As a result, nineteen members received e-mail messages with private information about multiple other members. Kaiser became aware of the problem when two members notified the organization that they had received the concatenated e-mail messages. Kaiser leadership considered this incident a significant breach of confidentiality and security. The organization immediately took steps to investigate and to offer apologies to those affected.

On the same day the first member notified Kaiser about receiving the problem e-mail, a crisis team was formed. The crisis team began a root cause analysis and a mitigation assessment process. Three days later Kaiser began notifying its members and issued a press release.

The investigation of the cause of the breach uncovered issues at the technical, individual, group, and organizational levels. At the technical level, Kaiser was using new web-based tools, applications, and processes. The pharmacy module had been evaluated in a test environment that was not equivalent to the production environment. At the individual level, two programmers, one from the e-mail group and one from the development group, working together for the first time in a new environment and working under intense pressure to quickly fix a serious problem, failed to adequately test code they produced as a patch for the pharmacy application. Three groups within Kaiser had responsibilities for KP Online: operations, e-mail, and development. Traditionally these groups worked independently and had distinct missions and organizational cultures. The breach revealed the differences in the way groups approached priorities. For example, the development group often let meeting deadlines dictate priorities. At the organizational level, Kaiser IT had a very complex organizational structure, leading to what Collmann and Cooper (2007, p. 239) call "compartmentalized sensemaking." Each IT group "developed highly localized definitions of a situation, which created the possibility for failure when integrated in a common infrastructure."

Discussion Questions

1. How serious was this e-mail security breach? Why did the Kaiser Permanente leadership react so quickly to mitigate the possible damage done by the breach?
2. Assume that you were appointed as the administrative member of the crisis team created the day the breach was uncovered. After the initial apologies, what recommendations would you make for investigating the root cause(s) of the breach? Outline your suggested investigative steps.
3. How likely do you think future security breaches would be if Kaiser Permanente did not take steps to resolve underlying group and organizational issues? Why?
4. What role should the administrative leadership of Kaiser Permanente take in ensuring that KP Online is secure? Apart from security and HIPAA training for all personnel, what steps can be taken at the organizational level to improve the security of KP Online?