BA HIPAA Breach Warning for University of Pittsburgh Medical Center Patients

A Business Associate (BA) of the University of Pittsburgh Medical Center has issued a notification to  the healthcare center, and many other clients, of a HIPAA breach caused by a member of staff. The now former staff member is accused of having stolen the records of 2,259 patients.

Medical Management LLC – a medical billing company – was advised by federal law enforcement agencies that a member of staff at the company was thought to have stolen and disclosed confidential data and that the incident was being examined. The employee in question – who remain anonymous – was a worker in the company’s call center. That person has been accused of copying “personal information from the billing system” and disclosing the private information to a third party.

Patients affected by the breach of HIPAA are being sent breach notification letters from today to warn them that their personal information has been obtained and disclosed. They have been told that their names, dates of birth and Social Security numbers had been compromised. Breach notification letters will be received by all affected people in the next few days.

Not all UPMC patients have been affected by the breach, as the data stolen related to patients that had received treatment at UPMC emergency departments. Patients affected by the breach are being offered free credit monitoring services with Kroll Inc. for a period of a year wto help protect against identity theft, medical & insurance fraud.

UPMC’s vice president of privacy and information security, John Houston, outlined in a statement that attempts are being made to improve security to prevent future breaches of this nature happening again.

“We apologize for any anxiety or inconvenience that this incident may cause for our patients. We hold our vendors to the same high privacy standards that we have for ourselves. Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.”

This is not the first time UPMC has had to react to a data breach. In late 2014 it was attacked by a hacker who managed to steal a database containing personal information of all 62,000 of UPMC’s employees.

Hackers infiltrated UPMC’s defenses in February, with the incident not being recognized until April. The investigation into the data breach showed that Social Security numbers, financial information, salary details, bank account numbers and other confidential information has been taken. In that privacy breach, at least 817 employees reported that their information had been used to carry out tax fraud.