UPMC revealed Wednesday that a former employee compromised the records of nearly 1,300 patients treated at various locations throughout the hospital system this year, prompting the health care giant to file a complaint with federal authorities about the privacy breach.
UPMC fired the woman, who worked at its UPMC McKeesport facility, on Wednesday and notified McKeesport police about the situation. UPMC also said that the woman's supervisor knew about the security breach but took no immediate action.
The health system posted a news release on its website alerting patients that records were viewed "inappropriately" by a woman UPMC did not identify.
That person was not involved in the patients' care, UPMC said.
The woman, a "unit coordinator" in the hospital's emergency department, was an administrator with access to records throughout the hospital system, spokeswoman Wendy Zellner said.
The woman had been working at UPMC McKeesport for about a year.
The former employee was able to access the patients' medical records, names, dates of birth, contact information, treatment and diagnosis information, and Social Security numbers, UPMC said.
The motive was unclear.
"The former employee reported to UPMC that she did not store this information or use it for financial gain," John Houston, UPMC's vice president of privacy and information security, said in the release.
UPMC said it notified the U.S. Department of Health and Human Services about the potential violation of the federal Health Insurance Portability and Accountability Act, which protects patient information.
Susan McAndrew, deputy director for health information privacy at the department's Office for Civil Rights, verified that a federal investigation will be conducted.
Ms. McAndrew said that because the alleged breach affected more than 500 people, it would be added to a public website documenting such instances.
McKeesport police Capt. Timothy Hanna said his department "may or may not be investigating."
UPMC is sending letters to affected patients and suggesting they closely monitor their credit card statements.
It is also providing employee training and conducting an internal review.
The breach was uncovered by a UPMC employee who became aware of it and alerted hospital management in early November.
Ms. Zellner did not have information on who that person was or how the individual became aware of suspicious activity.
She said the woman had been suspended but did not know when that occurred or when the woman's access to the computer records system was blocked.
"I think first they had to investigate it -- did she in fact look at records inappropriately? They had to look at it and figure it out," Ms. Zellner said. "I think they acted as quickly as possible."
Mr. Houston cautioned that "there is no fail-safe system, and we ultimately depend on the integrity, vigilance and honesty of all of our employees."
Ms. Zellner said that UPMC's electronic records system did alert the unit coordinator's supervisor to a potential problem.
"I guess the electronic system, it did flag certain suspicious activities," Ms. Zellner said. "But the person's supervisor didn't immediately investigate or report the activity, so we are taking appropriate disciplinary action on that level, too."
Jonathan D. Silver: firstname.lastname@example.org, 412-263-1962 or on Twitter @jsilverpg. First Published November 27, 2013 3:41 PM