The University of Pittsburgh Medical Center (UPMC) Health Plan recently announced that 722 of members’ protected health information (PHI) may have been exposed when a file containing the data was sent to the wrong email address.
The breach was discovered on June 4, 2015, and an investigation determined that the file contained patient names, member ID numbers, birthdates, phone numbers, primary physician’s office names, and insurance plan types.
Social Security numbers and medical histories were not exposed.
UPMC Health Plan contacted the recipient of the email (though it’s not clear what response, if any, they received), retrained staff on email procedures, reported the breach to the U.S. Department of Health and Human Services, and sent notification letters to all affected members.
Members with questions are advised to contact Member Services at (888) 876-3764.
“We apologize for any anxiety or inconvenience that this incident may cause our members,” UPMC Insurance Services Division chief compliance officer William Gedman said in a statement. “Based on our ongoing investigation, we will make all changes necessary to further enhance our already stringent privacy protections.”
“UPMC Health Plan is committed to doing our utmost to minimize the chance that this type of issue will occur again,” Gedman added.
Lately, however, it has been occurring again and again — UPMC has been hit by a string of data breaches over the past few years, including earlier this year when third-party medical billing company Medical Management, LLC (MML) acknowledged that a former MML employee may have inappropriately accessed about 2,200 UPMC patients’ personal information.
“We hold our vendors to the same high privacy standards that we have for ourselves,” UPMC vice president of privacy and information security John Houston said at the time. “Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.”
In April 2014, UPMC announced that as many as 27,000 employees’ personal information, including Social Security numbers, may have been exposed in a data breach. At the time of the announcement, at least 788 UPMC employees had already been victims of tax fraud.
And in November 2013, UPMC notified almost 1,300 patients that their medical records had been inappropriately accessed by a former employee. “We will continue to make significant investments in employee training and the best available tools for managing the use of our patients’ electronic records,” Houston said at the time. “However, there is no fail-safe system, and we ultimately depend on the integrity, vigilance and honesty of all of our employees.”
A recent study conducted by the Ponemon Institute and sponsored by ID Experts found that fully 91 percent of healthcare organizations have been hit by at least one data breach in the past two year, 39 percent have experienced two to five data breaches, and 40 percent have suffered more than five.
“Cyber criminals recognize two critical facts of the healthcare industry: 1) healthcare organizations manage a treasure trove of financially lucrative personal information and 2) healthcare organizations do not have the resources, processes, and technologies to prevent and detect attacks and adequately protect patient data,” the report stated.
Recent eSecurity Planet articles have examined the challenges of fighting insider attacks and the importance of offering effective security training.