University of Pittsburgh Medical Center Privacy Breach Prompts Warning to Patients

Deanna Garcia reports:

UPMC is alerting nearly 1,300 people treated at various UPMC locations over the past year that their records were viewed inappropriately. The now former employee at UPMC McKeesport was not involved in the care of the patients and therefore should not have been looking at their information.

“Another employee called it to the attention to the management of the hospital,” said UPMC spokeswoman Wendy Zellner. “Thus, we took the action we did to terminate this employee.”

Local and federal authorities have also been alerted, and UPMC has notified the U.S. Department of Health and Human Services, as required by HIPAA, the patient privacy law. Zellner said this is an isolated incident and patient information is generally kept safe and secure.

Read more on WESA.

Isolated incident?  What about the employee at UPMC Shadyside who was indicted for improper access and disclosure of PHI? Paul Pepala pleaded guilty in July 2011 and was sentenced to probation for providing patient info to others for tax refund fraud.  It sounds like this employee may have been “just” snooping, but even so…

The notice linked from UPMC’s home page reads:

To protect the privacy rights of its patients, UPMC is alerting nearly 1,300 people treated at various UPMC locations over the past year that their records were viewed inappropriately by a UPMC McKeesport employee who was not involved in their care.

The employee has been terminated, and local and federal authorities have been alerted. Additionally, UPMC has notified the U.S. Department of Health and Human Services as required by the federal Health Insurance Portability and Accountability Act (HIPAA). UPMC is providing additional employee training and continuing its own review with the aim of enhancing its privacy policies and procedures.

“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,” said John Houston, UPMC’s vice president of privacy and information security. “Fortunately, one of our employees who became aware of the inappropriate activity alerted hospital management in early November, and we were able to track and stop this improper behavior. UPMC is committed to meeting our patients’ privacy expectations. We will continue to make significant investments in employee training and the best available tools for managing the use of our patients’ electronic records. However, there is no fail-safe system, and we ultimately depend on the integrity, vigilance and honesty of all of our employees.”

As a result of UPMC’s internal investigation, it was determined that the now former employee accessed patient medical records — including patients’ names, dates of birth, contact information, treatment and diagnosis information, and Social Security numbers — without a valid reason to do so, a violation of HIPAA. “The former employee reported to UPMC that she did not store this information or use it for financial gain,” said Mr. Houston. “But out of an abundance of caution, we deemed it appropriate to inform our patients. We suggest that everyone take steps, including credit monitoring, to protect his or her identity.”

UPMC is sending letters to patients whose information may have been viewed inappropriately in this incident. Patients who have any questions or concerns can contact the UPMC Office of Patient and Consumer Privacy at 412-647-6286 or check UPMC.com for additional privacy resources.

About the author: Dissent