The case of Kaiser and Sure File Filing Systems underscores how patient information remains vulnerable in the hands of healthcare providers and outside contractors.

Federal and state officials are investigating whether healthcare giant Kaiser Permanente violated patient privacy in its work with an Indio couple who stored nearly 300,000 confidential hospital records for the company.

The California Department of Public Health has already determined that Kaiser “failed to safeguard all patients’ medical records” at one Southern California hospital by giving files to Stephan and Liza Dean for about seven months without a contract. The couple’s document storage firm kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.

Until this week, the Deans also had emails from Kaiser and other files listing thousands of patients’ names, Social Security numbers, dates of birth and treatment information stored on their home computers.

The state agency said it was awaiting more information from Kaiser on its “plan of correction” before considering any penalties.

Officials at the U.S. Department of Health and Human Services began looking into Kaiser’s conduct last year after receiving a complaint from the Deans about the healthcare provider’s handling of patient data, letters from the agency show. Kaiser said it hadn’t been contacted by federal regulators, and a Health and Human Services spokesman declined to comment.

Kaiser said it remained confident that this patient information was never disclosed or accessed inappropriately. It said that some employees were disciplined because company policies were not followed and that it had informed regulators of the steps it had taken to ensure this type of incident didn’t happen again.

“Kaiser Permanente is committed to protecting the medical and personal privacy of its patients,” spokesman John Nelson said. “In retrospect, we certainly wish we’d never done business with Mr. Dean.”

Even with tougher government oversight of medical privacy in recent years, this case underscores how confidential patient information remains vulnerable in the hands of big healthcare institutions and legions of outside contractors.

“Kaiser has shown extraordinary recklessness in this situation,” said Beth Givens, director of the Privacy Rights Clearinghouse in San Diego. “Healthcare companies have to make sure their contractors adhere to ironclad security practices.”

Federal and state laws impose strict standards on anyone dealing with patient information. The privacy rule of the federal Health Insurance Portability and Accountability Act, known as HIPAA, bans the unauthorized disclosure of individuals’ medical records and requires healthcare providers and vendors, such as billing and storage companies, to protect the information.

Despite those rules, personal medical information of 21 million people nationwide has been improperly exposed since 2009, according to federal data. Last year, Blue Cross Blue Shield of Tennessee agreed to pay $1.5 million to resolve allegations it violated federal law after 57 computer hard drives with patient information were stolen from an outside facility.

In October, Kaiser sued the Deans in Riverside County Superior Court, accusing them of violating their contract by not returning all of its patient information two years ago when Kaiser picked up the paper records.

In court filings, Kaiser said the Deans put patient data at risk by leaving two computer hard drives in their garage with the door open. In response, Stephan Dean moved them to a spare room. On a recent day they sat next to a red recliner where Ziggy, the family’s black-and-white cat, curled up for a nap. Dean said those hard drives contained spreadsheets on thousands of Kaiser patients, prepared at the company’s request.

At one point, Dean told Kaiser he was planning to contact patients about the whereabouts of their medical information because he felt Kaiser hadn’t taken proper precautions. The company sought a temporary restraining order against Dean, barring him from disclosing any confidential information. A Superior Court judge granted Kaiser’s request until Thursday, when another hearing is scheduled.

Dean, 47, got his foot in the door at Kaiser from his previous work labeling paper folders for courthouses, hospitals and doctors.

But the demand for folders was slipping as hospitals and doctors used computers more. Kaiser was at the forefront of this as it invested billions of dollars in its HealthConnect system, which it bills as the largest private-sector electronic health record in the world. Kaiser, with more than 9 million customers, is the nation’s largest nonprofit insurer and hospital system.

Dean said his small business, Sure File Filing Systems, got a big break when Kaiser acquired the Moreno Valley Community Hospital in 2008. The company needed to organize and clear out thousands of old patient files and it gave the job to the Deans, Kaiser records show.

In August 2008, the Deans started packing up thousands of files from Moreno Valley and moving them to the warehouse in Indio.

Hospital clerks routinely messaged Dean asking him to pull records on specific patients, emails sent by Kaiser to Sure File show. Dean said some Kaiser employees would put the patient’s full name in the subject line of the email, and other messages listed the patient’s Social Security number, date of birth, doctors’ names and treatment dates. One message started, “Good Morning Sure File,” and requested adoption records for a child.

Dean said Kaiser showed little concern for patient privacy in handling those requests. Only one out of more than 600 emails from Kaiser was password-protected with encryption, he said. Many medical providers use such technology so information isn’t visible to others.