The U.S. Department of Health and Human Services is investigating allegations that proprietary information from Monroeville's 911 dispatch center was released in violation of federal privacy law.
An August 2012 complaint to the department's Office for Civil Rights alleged the municipality's emergency management service provided health information protected under the federal Health Insurance Portability and Accountability Act (HIPAA) to a former police chief via email.
The complaint also said generic user names and passwords were created to access a database of 911 callers' medical information, giving anyone with that information the ability to anonymously access personal medical records.
Monroeville officials plan to hire outside legal counsel and a private investigator to handle the investigation.
Monroeville's 911 dispatch center covers Monroeville, Pitcairn and Wilmerding.
"Anyone who has called the police, called the fire department, used our [emergency medical service]" or was transferred to or from a Monroeville hospital could be affected by the breach, Monroeville manager Lynette McKinney said. Monroeville police Chief Steven Pascarella said the leaks likely started sometime in late 2011 and continued until he discovered them in August 2012.
The breach first surfaced last year after then-Assistant Chief Pascarella filed the complaint, alleging ambulance dispatches were being sent to former Monroeville police Chief George Polnar, who retired in January 2010 and is now employed as the manager of security and parking at UPMC East in Monroeville.
But Ms. McKinney said the breach was wider than that.
"The magnitude of this investigation is well beyond the leaking of one resident's private information to a former chief of police," she said on Tuesday.
Chief Pascarella said that municipal employees and some non-municipal employees wrongly had access to a database containing information from calls to the municipality's dispatch center, though he doesn't know how many people had that access. He said the type of information varied depending on the type of emergency call, but it could include an individual's name, driver's license number, birth date and medical history.
Chief Pascarella was sworn in as chief of the police department on March 12, the same day Ms. McKinney took the manager's position. She was appointed interim manager in January after the resignation of former manager Jeff Silka, who said he was leaving because of pressure from a bloc of council members to remove then-police Chief Doug Cole. The former police chief was demoted to sergeant by Ms. McKinney two days after she was appointed to the interim position.
"I hope the residents now see the seriousness of the situation and hopefully they now understand why I as well as council members could not comment ... on recent personnel changes," she said on Tuesday.
Sgt. Cole disputes Chief Pascarella's allegations and said it's his understanding that the information sent out in dispatch data was not information protected under HIPAA.
According to a letter from the Department of Health and Human Services' Office for Civil Rights obtained by the Pittsburgh Post-Gazette, the municipality has 30 days from when Ms. McKinney received the letter on March 21 to conduct the investigation.
Information requested by Health and Human Services includes documentation of any internal investigations of the allegations; documentation of steps the municipality took to address the matter; Monroeville's policies with regard to privacy; and other items.
According to the letter, the allegations could be a violation of the HIPAA's rules on privacy, breach notification and security.
Iliana Peters, a spokeswoman with the Office for Civil Rights, said in an email that those rules "provide federal protections for personal health information and give patients an array of rights with respect to that information."
If the municipality fails to comply with the department's investigation or "willful neglect" is discovered, it could be fined as much as $1.5 million, according to the letter from Health and Human Services.
Ms. McKinney said she alerted Chief Pascarella and solicitor Bruce Dice as soon as she received the letter. She said she has not yet hired a private investigator or a lawyer who specializes in HIPAA laws, but she planned to alert council and the mayor about the investigation on Tuesday. She said she was working to ensure the municipality's "accurate compliance with their request" and will "expedite necessary procedures ... in an effort to limit the municipality's liability."
Mr. Dice and Mr. Polnar did not return calls seeking comment.
Chief Pascarella said each of Monroeville's five fire stations had login information that would let them view information about calls to the dispatch system. Eventually, he said, anyone with that login information was able to view dispatch information from outside computers. He said as soon as he was promoted, he terminated EMS and fire department access to the database. Now, he said, only employees in the police department and dispatch center have access to the data.
When the system was set up, he said, everyone who had access to the database had a unique user name and password, except for the five fire stations. Those fire stations each had a single login and password that were available to an unknown number of people in each station.
"And that's what got exploited," he said.
"The residents of Monroeville need to know that I take these charges seriously, and I will do everything in my power to protect their privacy," Ms. McKinney said.
Annie Siebert: firstname.lastname@example.org or 412-263-1613. Twitter: @AnnieSiebert.