University of Pittsburgh Medical Center patients victimized by rogue employee of Medical Management LLC
UPMC is only one of “numerous” clients of NC-based Medical Management LLC that have reportedly been notified of data theft by a rogue employee. We’ll have to wait to learn who the other entities are. The following is a press release issued today by UPMC:
Because of a data theft at an outside medical billing company, about 2,200 people treated at various UPMC emergency departments are being notified in writing that their records may have been illegally disclosed by an employee of Medical Management LLC. MML and its affiliates provide billing services to health care providers throughout the United States, including to UPMC’s physician group Emergency Resource Management Inc.
MML recently informed UPMC and numerous other health care providers of the theft after federal law enforcement agencies notified MML of a criminal investigation into the incident. A call center employee—since terminated by MML—has been identified as being responsible for copying certain items of personal information from the billing system over the past two years and then illegally disclosing that information to a third party.
The personal information that was accessed and potentially compromised includes names, dates of birth and Social Security numbers. There is no evidence that information about medical histories or treatments was disclosed.
UPMC worked with MML to investigate this data breach and has independently reported this matter to the appropriate federal and state authorities. MML has secured the services of Kroll Inc. to provide identity theft protection at no cost to affected patients for one year.
“We apologize for any anxiety or inconvenience that this incident may cause for our patients. We hold our vendors to the same high privacy standards that we have for ourselves. Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners,” said John Houston, UPMC’s vice president of privacy and information security.
MML is sending letters to patients whose information may have been stolen in this incident. Affected patients who received letters and have any questions should contact Kroll Inc. at 1-855-330-6364, 8 a.m. to 5 p.m. CT or check UPMC.com for additional privacy resources.
Update: A template of Medical Management’s notification letter can be found on the California Attorney General’s web site, here (pdf).