A data breach at the University of Pittsburgh Medical Center (UPMC) originally thought to have compromised the privacy of 332 employees, may actually have over 27,000 victims according to a recent Pittsburgh Tribune-Review report. The alleged breach involved the unauthorized access of the confidential, personal information of UPMC employees, including their full legal names, addresses, social security numbers and dates of birth. The report indicates that at least 788 workers fell victim to fax fraud in the ordeal.
The potential breach was first reported in February, when several employees discovered their identities had been compromised. A lawsuit (view it online here) filed by Pittsburgh law firm Kraemer, Manes & Associates, LLC on February 27, 2014 on behalf of all affected employees alleges that UPMC is legally at fault for allowing the data breach. The suit states that the breach resulted in the personal and financial information of employees, as well as their W-2 forms, to be accessed without authorization and in some cases, used to fraudulently file tax returns in the employees’ names and open new bank accounts. The action also alleges that UPMC failed to disclose the breach in a timely manner. UPMC has until April 30 to answer initial charges in the suit.
UPMC has set up a hotline to help employees who may have been effected work through issues they are experiencing as a result of the breach. UPMC also hired a tax firm to work with affected employees. According to a notification letter sent to its employees, UPMC is working with the IRS, the Secret Service and other federal officials to identify the exact manner of the breach. To mitigate the effects of the breach, the organization has offered LifeLock identity protection services to all employees, which total about 62,000.
Ironically, FairWarning, a Florida-based company which provides patient information security services to healthcare systems, recently named UPMC “Visionary of the Year” as part of its 2014 Privacy Excellence Awards. Eagle Consulting President Gary Pritts was present at the awards ceremony held at HIMSS 2014 in Orlando this year. UPMC is one of the country’s leading nonprofit health systems with more than 20 hospitals and 400+ clinical locations throughout the US and world. This proves that even the biggest and best healthcare systems are at risk for data breaches.
While this case may not involve patient privacy, it will certainly serve as a reminder to all healthcare organizations using electronic health records to take seriously the requirements of HIPAA to protect the ePHI of patients.
