This chest scan of a 60-year-old Homestead woman, complete with clinical examination notes, was part of a file on the UPMC's radiology department Web site that was accessible on the Internet until this week. The woman's family agreed to let the Post-Gazette reproduce the image if the paper removed information that reveals her identity. Other patients had their names and Social Security numbers posted on the Web site without their permission, in what UPMC officials acknowledge was "a mistake."

Names, Social Security numbers and other personal information for nearly 80 UPMC Health System patients were posted on the medical center's radiology department Web site possibly for as long as two years, apparently without the patients' permission.

"It looks like they made a training video and instead of blanking out the information, they left it in there for some stupid reason," said Robert Ewiak, 38, of Erie, after seeing his name and Social Security number on the Web site.

"I didn't agree to let them put my personal information on the Internet, that's for sure."

One slide has an image of a scan taken of retired Fox Chapel attorney Albert Hilton, and lists his Social Security number, insurance information and medications, as well as noting his previous medical screenings and procedures.

"Clearly, I think it's an invasion of privacy," said Mr. Hilton, adding that "I certainly haven't" given the hospital permission to use the information.

The majority of entries are dated Sept. 11, 2002, and list just the patients' names next to their medical record numbers, which match their Social Security numbers.

"I'm really shocked to see my name and Social Security number. At the very least, they should have had this in a password-protected site," said Lisa Rossi of Squirrel Hill, a former UPMC News Bureau staff member.

"With the Internet, who knows who's found this?"

UPMC officials quickly disabled the site Tuesday afternoon after the Pittsburgh Post-Gazette inquired about it, and they acknowledged yesterday that the posting was a mistake.

"I take this very seriously. I sure as heck don't want my co-workers looking at my data either," said John P. Houston, UPMC vice president for information security and privacy.

Mr. Houston said they knew the presentation had existed -- in fact, they had found and flagged the site two years ago.

"I was the person who said, 'This has to come down,' " he said.

But shortly afterward, the department replaced its server and he suspects the site inadvertently got restored without anyone noticing.

The medical center will be sending letters this week to all the patients affected, "to tell them what steps to take to make sure they are not victims of identity theft," said Richard Kidwell, director of risk management for UPMC.

Mr. Houston also said UPMC will pay the cost of monitoring the patients' credit records for a year if the patients want that service.

The confidential information was part of a PowerPoint presentation on integrating multimedia electronic medical records by Dr. Paul J. Chang, a former UPMC radiologist. One slide, ironically, listed "security" as one of the challenges.

Dr. Chang used the presentation for a workshop at a meeting of the Radiological Society of North America in December 2002, but said he had personally blocked out identifying information beforehand.

"That was not supposed to be on the UPMC Web site," said Dr. Chang, who left UPMC in June and is now on staff with the University of Chicago.

In a phone interview Tuesday, he speculated that someone must have found a copy of his presentation containing raw data, then posted it without realizing what was there.

"I don't know why it was available," he said. "They should have stripped that stuff out years ago."

Dr. Chang, a widely-recognized expert in radiology informatics, said he took precautions to erase his data from his hard drive at UPMC before he left. But, looking back, he realizes he did not do the same for the department Web site.

"I confess that it never, ever entered my mind" to check, he said.

"Who would even think, 'Is there any of my stuff on the Web?' It's something we don't think about, but I sure will now."

One patient, Emma Cameron, 60, of Wilkinsburg, initially said "I really don't care" when told her name and Social Security number were on the Web site. But she added, "I wouldn't be very happy if someone stole my identity."

Less than two hours later, Mrs. Cameron's daughter, Deanna North of Farmington Hills, Mich., called the Post-Gazette, worried about her mother's information being posted on the Internet.

"She doesn't know what the implications are," said Mrs. North. "It's a shame. I don't think a lot of these people understand what the implications are, because they're sick and they're elderly."