2013 USPS Security Breach Exposed the Health Information of 485K Employees

The hacking of the United States Postal Office computer Network in September 2013 exposed the personal information of approximately 800,000 employees and included a database of 2.9 million customer complaints containing some personal information.

The security breach was discovered on September, 11, 2013 when the Department of Homeland Security informed the USPS that its servers were sending unauthorized communications outside of the network, indicating its computer network had been compromised.

An investigation was immediately launched which revealed 29 servers had been compromised and a large volume of data had been copied from the servers, including HR files containing the financial information of employees. An FBI investigation revealed the hack to be highly sophisticated in nature. The decision was taken not to close down the servers and alert the hackers, although access was finally shut off and security measures installed on Nov, 8 and 9, 2013. The public and all affected employees were advised of the breach the following day.

While the breach was reported late last year, further information has now been released indicating that some health information was present in the stolen data and approximately 485,000 individuals have potentially been affected.

The USPS has sent out additional breach notification letters to advise the persons concerned of the information that potentially could be accessed by the hackers or individuals now in possession of the data. They have also been offered a year of free credit monitoring services to ensure any fraudulent activity is quickly identified so that any damage can be mitigated.

The health information was recorded in a file that was linked to the Human Resources files previously known to have been stolen. The file contained details of employees who had previously made personal injury claims against the USPS and included information such as diagnosis codes, the locations of the injuries suffered, procedure codes and a number of codes used for the billing of medical services.

Although the data breach has exposed the health information of hundreds of thousands of individuals, the USPS is not actually covered under HIPAA regulations because the data was not part of a health plan and the USPS is not a healthcare provider. As such the USPS did not report the breach to the Office for Civil Rights and will not face any financial penalties for HIPAA violations.

While HIPAA laws have not been broken, federal laws do exist to protect the privacy of employees. Any person who has had their health or personal information disclosed is able to take legal action – under the Privacy Act of 1974 – against the USPS for failing to take sufficient measures to protect their personal data.

However, previous lawsuits filed for the improper disclosure of private information have all been dismissed unless there has been clear evidence that an individual has suffered harm or other damages as the result of the data breach. The exposure of data alone is insufficient to see any damages awarded to the plaintiff.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.