Second set of UPMC data found on Internet
Share with others:
A second set of UPMC patient names, Social Security numbers, X-rays and other personal medical information has surfaced on a Web site maintained by a California archival company.
The data and related medical scans came from a PowerPoint presentation by Dr. Paul J. Chang to the Radiological Society of North America in 2002.
In December 2003, the California company, The Internet Archive, retrieved the presentation from the UPMC radiology department's Web site and posted it on its own Web site. That made it available to anyone searching the Archive site.
At some point, the presentation was deleted from the UPMC Web site, but it remained on The Internet Archive site until Friday.
On Thursday, the Pittsburgh Post-Gazette reported that another old PowerPoint presentation by Dr. Chang containing UPMC patient data was still accessible on the UPMC site, with identifying personal information for nearly 80 patients.
UPMC removed the item from its Web site Wednesday, but a copy was still available from The Internet Archive through Friday morning.
The latest presentation contains information on eight additional patients, including X-ray scans. At least two of the patients have since died. But other slides clearly show valid Social Security numbers for still-living patients.
Both sites were taken down Friday afternoon after the Post-Gazette inquired about them, and Internet Archive access to UPMC radiology sites now has been blocked.
But information security experts say it's impossible to know whether other copies of the presentations have been downloaded or are still on the Internet.
UPMC officials are contacting patients whose data were disclosed, and they have offered to pay for credit monitoring services for one year to guard against identity theft.
"We want to have this purged as soon as possible," said John Houston, privacy officer for UPMC.
The federal government set up strict patient-privacy restrictions in 2003 under Title II of the Health Insurance Portability and Accountability Act, or HIPAA.
A spokesman for the Office of Civil Rights in the U.S. Department of Health and Human Services said that even if medical records predate the enactment of HIPAA, the law covers all identifiable information in both active and stored medical records. Office of Civil Rights officials were unavailable last week to discuss what happened at UPMC, according to spokesman Mike Robinson.
Reached by phone Friday, Dr. Chang said he remained puzzled about how the patient information got posted.
Mr. Houston said the first site was flagged for removal two years ago, but somehow reappeared, perhaps when the radiology department changed its Internet server.
"When you delete a file, it goes away, right?" said Dr. Chang.
While acknowledging that he doesn't know what happened, Dr. Chang said the only plausible explanation was that an old backup must have been used when the new server was installed. Then he asked rhetorically, "But why would they use an old backup?"
Dr. Chang, educated at Harvard and Stanford, was once named one of the 20 most influential people in radiology by Diagnostic Imaging magazine. While at UPMC, he developed software that allowed doctors to view X-rays on personal computers.
Using that technology, Dr. Chang and UPMC started a medical imaging and information management company called Stentor Inc., which was sold to Royal Philips Electronics in July 2005 for $280 million.
On the two presentations, Dr. Chang lists grants from the National Institutes of Health and the Defense Advanced Research Projects Agency, part of the U.S. Department of Defense.
"I thought I understood security," Dr. Chang said. "But you can only fix what you know. I confess this never, ever entered my mind."
Dr. Chang said he believes that someone at UPMC may have inadvertently posted an early version of his PowerPoint presentations, before he had masked the patient information. He speculated that multiple versions of the presentation were on the department's server, and someone accidentally picked the wrong version to post. One lesson he has taken from all this, he said, is to keep early versions in a separate directory from finished work that will be presented publicly.
The benefits of having medical records in digital form still "far outweigh" the liabilities, including accidental postings that "show that we are still pretty young and pretty inexperienced at this," Dr. Chang said.
"I can guarantee this will never happen at UPMC again, but something else will. It's more than the Internet. It's being digital. If I burn a piece of paper, it's gone. If I shred a record, it's gone. But if I have an electronic version, it doesn't ever go away."
First Published April 14, 2007 11:29 pm