Paul J. Gough reports that an employee of UPMC St. Margaret was fired after they sent a record to an unidentified outside organization that contained patient information.

A March 5th statement on UPMC’s web site reveals that on August 8, 2020, UPMC first became aware of the inappropriate disclosure of a medication administration report to an outside organization without a business need for the protected health information.

Through the investigation, UPMC determined that names, internal UPMC identification numbers and medication administration data may have been inappropriately disclosed. “Medication administration data” may include the drug name, dosage, time/date of administration, and reason for administration. Please be assured that neither Social Security Numbers nor medical records were inappropriately accessed/disclosed.

UPMC terminated the employee’s access to UPMC systems and terminated the employee’s employment with UPMC. Federal authorities were also notified.

On March 5, 2021 UPMC began mailing letters to affected patients. Their statement does not explain why the delay in notification from discovery. Did law enforcement request the delay?  Is there any criminal investigation ongoing?

DataBreaches.net sent an inquiry to UPMC this morning, but has received no reply by publication time. This post will be updated if and when an explanation for the delay is received. The incident does not appear on HHS’s public breach tool, and UPMC’s statement does not indicate whether there were more than 500 patients or fewer than 500 patients involved.