Almost 70,000 Kaiser Permanente patients in Washington State may have had their personal information, dates of service and lab test results exposed in an April data breach.

Founded in 1945, Kaiser Permanente is one of the largest nonprofit healthcare plans in the U.S., providing healthcare services to more than 12 million people. 

After discovering an attacker gained access to employee’s emails, Kaiser Permanente terminated the access within hours and began an investigation to determine the scope of the data breach. The healthcare company determined that protected health information was contained in the emails, and while there is no indication that the unauthorized party accessed the information, the company is “unable to completely rule out the possibility.” 

In addition, there is no evidence of identity theft or misuse of protected health information as a result of the incident. Potentially exposed health information included first and last name, medical record number, dates of service, and laboratory test result information. Sensitive information such as Social Security number and credit card numbers were not included in the information.

The company says other security steps taken included resetting the employee’s password for the email account where unauthorized activity was detected. “The employee received additional training on safe email practices, and we are exploring other steps we can take to ensure incidents like this do not happen in the future,” the company stated in a privacy notice. 

Chris Clements, Vice President of Solutions Architecture at cybersecurity company Cerberus Sentinel, says, “It’s critical that as a part of their larger cybersecurity culture, organizations include assessing their ability to quickly understand the scope of a potential breach in risk analysis or tabletop exercises.”