Kaiser helped a child molester get his sentence cut in half by giving a child's medical information to the convict's sister over the phone. Kaiser's bid for self-exhoneration is that their phone representative "followed procedure", and the blame lies with whoever shared the child's medical record number and "password".

I personally very much doubt a password was involved. If the malefactors had the password, they could have obtained the information they wanted from Kaiser Online, without going through the risk and trouble of persuading a Kaiser employee to help them. As for MRNs - I think it's a bit mean-spirited to imply the only problem is the victim sharing their MRN with random strangers, when hundreds of thousands of Kaiser MRNs have been found on stolen laptops, on Kaiser magazine mailing labels, in the pockets of rogue temps, via Kaiser web site and email glitches, in random boxes at Office Depot, and, of course, posted for years on the Internet as part of the Systems Diagrams. And then there are scams, scams, and more scams. Given that Kaiser has so many leaks around the edges - which include outsourcing transcription to India (by using contracting firms that outsource to India) and exposing their Colorado Intranet for the whole world to see for goodness knows how long - how dare they even suggest that the ease with which a criminal obtained a child's medical records over the phone is a matter of the victim's responsibility in guarding their MRN?

Kaiser simply shouldn't be giving personal medical information out over the phone. There's just no way to verify who they are giving it to. The "unique" MRN has been proven to be an extremely low barrier - because Kaiser itself sprays this sort of data everywhere. It's time to stop allowing Kaiser to shift the blame for this problem (blaming the victim, attempting to frame the whistleblower, etc.) and start facing the reality that even organizations with the immense resources of Kaiser can't be trusted to protect our medical information. Perhaps there should be an independent service that keeps these records in the equivalent of a bank vault: that would not only be safer - it would make it easier for people to switch health care providers at the drop of a hat, too.