The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

University of Pittsburgh Medical Center Patients Warned of BA HIPAA Breach

Posted By on May 15, 2015

A Business Associate (BA) of the University of Pittsburgh Medical Center has notified the healthcare provider, and numerous other clients, of a HIPAA breach caused by a rogue employee. The now former employee is alleged to have stolen the records of 2,259 patients.

Medical Management LLC – a medical billing company – was notified by federal law enforcement agencies that a member of staff at the company was believed to have stolen and disclosed confidential data and that the incident was being investigated. The employee in question – who has not been named – was a worker in the company’s call center. That person has been accused of copying “personal information from the billing system” and disclosing the information to a third party.

Social Security Numbers and Personally Identifiable Information Stolen

Patients affected by the breach are being sent breach notification letters from today to alert them that their personal information has been obtained and disclosed. They have been advised that their names, dates of birth and Social Security numbers had been compromised. Breach notification letters should be received by all affected individuals in the next few days.

Not all UPMC patients have been affected, as the data stolen related to patients that had received treatment at UPMC emergency departments. Patients affected by the breach are being offered credit monitoring services with Kroll Inc. for a period of a year without charge to help protect against identity theft, medical & insurance fraud.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

HIPAA Breach Attributed to a Disgruntled Employee

UPMC’s vice president of privacy and information security, John Houston, explained in a statement that efforts are being made to improve security to prevent future breaches of this nature occurring again.

“We apologize for any anxiety or inconvenience that this incident may cause for our patients. We hold our vendors to the same high privacy standards that we have for ourselves. Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.”

Second HIPAA Breach Involving UPMC

This is not the first time UPMC has had to deal with a data breach. Last year it was attacked by a hacker who managed to steal a database containing personal information of all 62,000 of UPMC’s employees.

Hackers broke through UPMC’s defenses in February, with the incident not being discovered until April. The investigation into the data breach revealed that Social Security numbers, financial information, salary details, bank account numbers and other confidential information has been stolen. In that breach, at least 817 employees reported that their information had been used to commit tax fraud.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist