USA 
United Kingdom
Kaiser Foundation Health Plan reported an enormous data breach that could affect an estimated 13.4 million people on Thursday last week.
In the breach, Kaiser Permanente determined that online technologies possibly transmitted personal information to third-party vendors when members, including patients, used its mobile apps or websites, describing it as “unauthorized access/disclosure.”
The healthcare giant says it is “not aware of any misuse of any member’s or patient’s personal information," however it still plans to notify those possibly affected "out of an abundance of caution."
It apologized for the error, stating that leaked data includes IP addresses, names, and other data including "search terms used in the health encyclopedia” – but not usernames, passwords, Social Security numbers, or payment information.
But could it have been prevented?
A lack of digital skills training could be causing healthcare data breaches
The issue is undoubtedly much larger than Kaiser Permanente. In 2023, there were a record 725 large security breaches in healthcare, according to data from The HIPAA Journal.
According to DoorSpace CEO Sarah M. Worthy, an expert in skills development within healthcare, the spike in such breaches can be attributed to one reason only: “because healthcare executives and their employees don’t understand basic digital concepts such as how web cookies work to collect site visitor data.”
Worthy argues that poor digital skills have been an issue within healthcare organizations for several years and suggests that Kaiser Permanente could have avoided this latest large-scale breach by investing more in digital and cybersecurity upskilling.
“Kaiser leadership chose not to make this a priority and their delays have cost patients their privacy,” Worthy claims.
The company has promised it has taken steps to ensure the issue never happens again. However, it is not clear whether this includes better cybersecurity training.
Regardless, skills development has to be a priority for the healthcare sector, and HR, alongside training or L&D leaders, must lead the charge. A priority should be to create more rigorous development programs for executives, particularly the CEO.
“It’s simply no longer adequate for the C-suite in hospitals to rely on their IT team to protect them,” says Worthy. “Leadership has to invest in college-level and above cybersecurity and data management courses.”
Neglecting digital skills could “cost billions of dollars and patient safety”
Whether the issue was caused directly or indirectly by a lack of skills, digital training must improve within the wider healthcare industry – or even in many other industries where company, customer, or employee data is also subject to major security leaks.
Worthy argues healthcare organizations “need to be training their workers on basic cybersecurity practices.”
She adds that breaches can, largely, be prevented, but it requires significant tech and personnel investment as well as ongoing training procedures. “Many don’t want to pay for it until it is too late, however, when it comes to sensitive data, it is a necessary investment and should not be optional for healthcare organizations.”
Cutting corners in skills development to protect budgets may well end up causing data breaches that are ultimately far costlier to the company.
“Digital tech requires CEOs to upskill to become data-centric in their operational strategies and focus,” Worthy concludes. “Otherwise, we will continue to see big data problems plague the healthcare industry at the cost of billions of dollars and patient safety and wellbeing.”
