The privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 emphasize taking steps for protecting protected health information from unauthorized access and modification.1 Nonetheless, even organizations highly skilled in data security that comply with regulations and all good practices will suffer and must respond to breaches. This paper reports on a case study in responding to an important breach of the confidentiality and integrity of identifiable patient information of the Kaiser Internet Patient Portal known as "Kaiser Permanente Online" (KP Online). From the perspective of theories about highly reliable organizations, effective health information security programs must respond resiliently to as well as prospec-tively anticipate security breaches.
展开▼