University of Pittsburgh Medical Center Patients Warned of BA HIPAA Breach

A Business Associate (BA) of the University of Pittsburgh Medical Center has notified the healthcare provider, and numerous other clients, of a HIPAA breach caused by a rogue employee. The now former employee is alleged to have stolen the records of 2,259 patients.

Medical Management LLC – a medical billing company – was notified by federal law enforcement agencies that a member of staff at the company was believed to have stolen and disclosed confidential data and that the incident was being investigated. The employee in question – who has not been named – was a worker in the company’s call center. That person has been accused of copying “personal information from the billing system” and disclosing the information to a third party.

Social Security Numbers and Personally Identifiable Information Stolen

Patients affected by the breach are being sent breach notification letters from today to alert them that their personal information has been obtained and disclosed. They have been advised that their names, dates of birth and Social Security numbers had been compromised. Breach notification letters should be received by all affected individuals in the next few days.

Not all UPMC patients have been affected, as the data stolen related to patients that had received treatment at UPMC emergency departments. Patients affected by the breach are being offered credit monitoring services with Kroll Inc. for a period of a year without charge to help protect against identity theft, medical & insurance fraud.

HIPAA Breach Attributed to a Disgruntled Employee

UPMC’s vice president of privacy and information security, John Houston, explained in a statement that efforts are being made to improve security to prevent future breaches of this nature occurring again.

“We apologize for any anxiety or inconvenience that this incident may cause for our patients. We hold our vendors to the same high privacy standards that we have for ourselves. Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.”

Second HIPAA Breach Involving UPMC

This is not the first time UPMC has had to deal with a data breach. Last year it was attacked by a hacker who managed to steal a database containing personal information of all 62,000 of UPMC’s employees.

Hackers broke through UPMC’s defenses in February, with the incident not being discovered until April. The investigation into the data breach revealed that Social Security numbers, financial information, salary details, bank account numbers and other confidential information has been stolen. In that breach, at least 817 employees reported that their information had been used to commit tax fraud.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.