Health care provider Kaiser Permanente has disclosed a data breach that compromised the information of some 70,000 patients at subsidiary Kaiser Foundation Health Plan of Washington.

In a June 3 notice to patients, Kaiser Permanente described the data breach as a “security incident” that involved unauthorized access on April 5. The company said it discovered that an unauthorized party had gained access to an employee’s emails. It’s claimed that the unauthorized access was terminated within hours after it began.

Protected health information was contained in the emails. Although Kaiser Permanente says it has no indication that the unauthorized party accessed the information, it’s unable to rule out the possibility.

Information potentially breached included first and last name, medical record number, dates of service and laboratory test result information. Social Security numbers and credit card numbers were not exposed.

Kaiser Permanente does not say how the email account was compromised, but the evidence points to either credential-stuffing or phishing. That evidence includes the company saying “the employee received additional training in safe email practices,” which wouldn’t be required unless it was one of those two things.

“It is most likely that the threat actor(s) involved were already inside for some time and what was detected was the actual data being exfiltrated within hours,” Sanjay Raja, vice president of product at unified security and risk analysis company Gurucul Solutions Pvt Ltd A.G., told SiliconANGLE. “What is becoming more evident as we see attacks similar to the Kaiser disclosure is Identity Threat Detection and Response is a critical component of any security operations program.”

Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Cyber Sentinel Corp., commented that the incident demonstrates the need for organizations to have robust auditing controls to identify quickly what data was accessed by attackers during an incident.

“The breach occurred almost three months ago, yet Kaiser Permanente has only recently notified potentially impacted people that their data may have been compromised,” Clements said. “During this time, the affected individuals could have been targeted by attackers using any specific information stolen in convincing social engineering campaigns. It’s critical that as a part of their larger cybersecurity culture organizations, include assessing their ability to quickly understand the scope of a potential breach in risk analysis or tabletop exercises.”

Photo: Ted Eytan/Flickr