The DMHC Lies!!!
I just re-read the DMHC order/threat letter. It says DMHC authorities have determined that in July 2004...a former Kaiser Permanente employee, posted unauthorized personal and confidential patient information including names, lab orders, medical record numbers and other unique and identifiable information on a publicly accessible Web site.

Good grief.

I did not *post* the Kaiser Diagrams in July: I discovered and revealed them. I provided a link to them. I reported that site to anyone who would listen.

The DMHC didn't investigate anything. They are Kaiser mouth-pieces, and they just corroborated Kaiser's cover story for the public!!!

It is not possible for an investigation to determine that I was the one who posted those Systems Diagrams in July because I didn't do it.

Behold the further proof that Kaiser has the power to overwrite reality with whatever is most suitable to them and most destructive to their critics.

*****

For anyone with technical research skills, I have a final IP address from a traceroute on the original docviewer.tripod.com site:

100.240.202.209.in-addr.arpa IN PTR
members.tripod.com

I didn't research it further because I figured the IP just went back to Tripod, a popular host for free web sites. But maybe Tripod has data centers in different locations, and the IP can help determine the area of the country and/or world where the docviewer site was originally posted.

*****

I found a copy of my HIPAA complaint. Here it is word-for-word, except I have removed the patient data. I want to point out that I misread the time stamp on the Internet Archive when I wrote this complaint: I thought it said 2003, when it says 2002. I was actually working at Kaiser in December 2002: but at the time I was a happy temp looking forward to being hired in January. As I've stated before, I did not work in either a health care or a database/programming capacity: I had no access to patient information systems from either a professional or technical standpoint.



Date: Fri, 24 Sep 2004 13:22:32 -0700 (PDT)
From: *deleted*
Subject: Fwd: Re: Kaiser Permanente HIPAA Violation
To: OCRComplaint@hhs.gov

I am filing a complaint on behalf of any real people
whose identifying information was displayed online in
Kaiser Permanente Systems Diagrams that appeared on
the web.

I prefer to be contacted by email.

HIPAA violator information:
Kaiser Permanente
1 Kaiser Plaza
Oakland, CA 94612

I don't know the phone number of Kaiser's HIPAA
representative.

Here is the HIPAA violation report:

Kaiser Permanente had systems diagrams for Northern
California posted on the web for quite some time.
You can see from the Internet Archive cache that the
page had been indexed since 2002:
http://web.archive.org/web/*/docviewer.tripod.com

I have no idea who originally posted the site. I am a
former employee of the department involved, the
Northern California Technology Group (Office of the
CTO), which is why I recognized what the material
posted on the web site was, but the time stamps on
some of the web pages will show they were posted long
after I was gone.

My theory about the systems diagrams posted on the web
is that they may have been used as a communications
tool by the primary consultant firm used by the
department responsible for those systems: Covansys.

Since the time I originally sent an inquiry to OCR,
Kaiser seems to have taken down the site, probably as
a result of my efforts to bring the breach of security
aspects to light. However, I mirrored the site so the
HIPAA question can be investigated. I have temporarily
posted it here:
http://kaisersystem.netfirms.com/docviewer/index.html

To make sure this is crystal clear - this is not the
url where these diagrams were original posted. That
url was docviewer.tripod.com. I have copied and
reposted the web pages at a new address.

My HIPAA concern is that some of the screen images
have patient names and other personally identifiable
information. It might be test data: I would like a
HIPAA officer to look into this and make sure. I know
that Kaiser has used real patient data in systems
presentations before. For instance, I was present
during a project manager meeting for a presentation on
the Nighthawk system in Northern California in which
the doctors pointed out and recognized they had just
committed a HIPAA violation.

On a cursory glance I found two possible patient
names:
1. *deleted*
2. *deleted*

Also, the list of Providers on the "SAS Tools" page
is real. You can verify them through the Kaiser
Permanente Physician directory at www.kp.org.

While Kaiser has now taken down the site, I think
there should still be an investigation (if the patient
data proves to be real) because the information was
apparently hanging out there for months, while HIPAA
was in force. I was actually pointing out this site
for over a month before Kaiser bothered to do anything
about it. Also notice that during this time anyone
could have copied these pages to repost them
elsewhere: I have done just that to facilitate your
investigation.

Thank you for taking the time to look into this. I'm
happy to answer further questions if I can.