DMHC Press Release

June 15, 2023 Press Release


Thursday, June 15, 2023


DMHC Fines Kaiser Permanente $450,000 for Violating Enrollee Confidentiality


(Sacramento) - The California Department of Managed Health Care (DMHC) announced enforcement action against Kaiser Foundation Health Plan, Inc. (Kaiser Permanente) including a $450,000 fine for violating the confidentiality of thousands of the plan’s enrollees. The plan sent 337,755 mailings containing confidential Protected Health Information (PHI) to 167,095 potentially outdated enrollee addresses from October 2019 to December 2019. Kaiser’s error in updating the plan’s electronic health records system caused the unauthorized mailings and PHI data breach. The plan has agreed to pay the fine and implement corrective actions, including running periodic checks of its software systems to ensure enrollee addresses are correct and up to date.

"Health plans must protect the confidentiality of enrollee records and maintain and dispose of medical information correctly," said DMHC Director Mary Watanabe. "Kaiser Permanente agreed to take corrective actions to protect consumers confidential information and ensure this doesn't happen again."

BACKGROUND: Kaiser reported to the Department that an error in updating its electronic health records system caused mailings with confidential information to be potentially sent to enrollees’ former addresses. The plan reported that, of the 337,755 mailings, 1,788 were returned unopened and eight recipients contacted the plan sharing they had opened the mailing and saw that it was not intended for them. Due to the plan’s system error, thousands of mailings could have been viewed by unauthorized persons.

The Plan's errors caused two types of violations, an unauthorized disclosure of medical information and the negligent maintenance or disposal of medical information in violation of the Confidentiality of Medical Information Act. Kaiser knew of the electronics error and data breach on November 11, 2019, but did not stop the mailings to former addresses until December 20, 2019, 39 days later, allowing another 175,000 pieces of potentially misdirected correspondence to go out.

CORRECTIVE ACTION: Kaiser implemented corrective actions to reduce the risk of future breaches of enrollees’ confidential information. The corrective actions included notifying impacted enrollees and confirming accurate addresses, updating the plan’s membership software systems and periodically checking to confirm address changes are kept in sync, working with call center employees to confirm address information and refresher training for staff on Health Insurance Portability and Accountability Act (HIPAA) standards to protect sensitive PHI. On an ongoing basis, Kaiser has agreed to run periodic checks of its systems to ensure that it is using the most current physical and/or mailing address to communicate with its members.

WHAT ENROLLEES CAN DO: The DMHC encourages health plan enrollees experiencing issues with their health plan, including privacy and confidentiality concerns, to file a grievance or appeal with their health plan. If the enrollee does not agree with their health plan's response or the plan takes more than 30 days to fix the problem for non-urgent issues, the DMHC Help Center can work with the enrollee and health plan to resolve the issue. The health plan enrollee can file a complaint with the DMHC Help Center at or 1-888-466-2219.


About DMHC:

The California Department of Managed Health Care (DMHC) protects the health care rights of 28.4 million Californians and ensures a stable health care delivery system. The DMHC Help Center has assisted 2.6 million Californians to resolve complaints and issues with their health plan. The DMHC Help Center provides assistance in all languages and all services are free. For more information visit or call 1-888-466-2219.