HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UPMC Health Plan Data Breach Affects 722 Subscribers

UPMC health plan has reported a data breach affected 722 insurance subscribers. This is the second data breach to affect the health plan this year. In May UPMC reported  2,000 patient records had been compromised.

The latest data breach appears to have resulted from an internal error. Yesterday, UPMC spokeswoman, Gina Pferdehirt, said patient information was compromised when an email containing PHI was sent to an unauthorized person.

The statement released by UPMC says the email was sent by accident, suggesting there was no malicious intent behind the data breach. According to UPMC, “The email meant for a physician’s office in Lawrence County was sent instead to an incorrect address, revealing patient names, insurance membership numbers, birth dates and phone numbers.”

According to a response provided to the Pittsburgh Post Gazette, Pferdehirt said, “while we take this seriously, in context the breach is very minor.”

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

The email did not contain financial information, health data or Social Security numbers, although member names, dates of birth, ID numbers and phone numbers were compromised.

Pferdehirt did not say when UPMC discovered the breach; however the incident occurred on June 4, 2014, and the data breach was reported to federal authorities on July 2, after an internal investigation had been conducted. This suggests the data breach was rapidly identified by UPMC’s IT department.

Pferdehirt said “We are contacting the members, and we really are sorry about this.” Affected patients will be provided with further information by mail, including how to reduce the risk of identity theft in the event that the information is used.

The recent data breaches affecting UPMC highlight the difficulty organizations can have keeping PHI secure. Accidental disclosures of PHI can all too easily occur, even with staff training, and it is difficult to totally eliminate the risk of a Business Associate causing a data breach. The May breach also affected 39 other companies. UPMC was also targeted by hackers last year, who managed to steal 62,000 patient records.

Security has been improved in the wake of the past breaches, and UPMC will continue to improve defenses to prevent similar attacks from taking place in the future.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.