Case report: Breaching the Security of the Kaiser Permanente Internet Patient Portal: the Organizational Foundations of Information Security

This case study describes and analyzes a breach of the confidentiality and integrity of personally identified health information (e.g. appointment details, answers to patients' questions, medical advice) for over 800 Kaiser Permanente (KP) members through KP Online, a web-enabled health care portal. The authors obtained and analyzed multiple types of qualitative data about this incident including interviews with KP staff, incident reports, root cause analyses, and media reports. Reasons at multiple levels account for the breach, including the architecture of the information system, the motivations of individual staff members, and differences among the subcultures of individual groups within as well as technical and social relations across the Kaiser IT program. None of these reasons could be classified, strictly speaking, as "security violations." This case study, thus, suggests that, to protect sensitive patient information, health care organizations should build safe organizational contexts for complex health information systems in addition to complying with good information security practice and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

[1]  B. Kapferer Strategy and transaction in an African factory: African workers and Indian management in a Zambian town , 1972 .

[2]  J. Mitchell,et al.  The Kalela dance : aspects of social relationships among urban Africans in Northern Rhodesia , 1956 .

[3]  “I'M PROPER NUMBER ONE FIGHTER, ME”: , 1988 .

[4]  Scott D. Sagan The Limits of Safety: Organizations, Accidents, and Nuclear Weapons , 1993 .

[5]  M. O'hare,et al.  Searching for Safety , 1990 .

[6]  Karl E. Weick,et al.  Managing the unexpected: Assuring high performance in an age of complexity. , 2001 .

[7]  K. Weick FROM SENSEMAKING IN ORGANIZATIONS , 2021, The New Economic Sociology.

[8]  C. Argyris On organizational learning , 1993 .

[9]  M. Gluckman Analysis of a Social Situation in Modern Zululand. Part Two. Social Change in the History of Zululand , 1940 .

[10]  Scott Snook,et al.  Friendly Fire: The Accidental Shootdown of U.S. Black Hawks over Northern Iraq , 2002 .

[11]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[12]  Victor Turner,et al.  Schism and Continuity in an African Society , 2020 .

[13]  G. Rochlin Trapped in the Net , 1997 .

[14]  Francis Gibson,et al.  Fringe-Dwellers and Welfare: The Aboriginal Response to Bureaucracy , 1988 .

[15]  F. Eggan,et al.  The savage mind . Structure and function in primitive society , 1999 .