ShareThis Page
UPMC says billing contractor stole patient information |
Local Stories

UPMC says billing contractor stole patient information

Personal data may have been stolen from more than 2,000 UPMC patients by an employee of an outside company the hospital giant used to handle emergency room billing, the latest in a string of data thefts to hit Pittsburgh health companies.

UPMC said Friday that the employee stole names, birthdates and Social Security numbers of patients from more than 40 health care providers across the country during the past two years, including about 2,200 UPMC patients who used the system’s emergency departments. Federal law enforcement agencies are investigating the incident, UPMC said.

Spokeswoman Wendy Zellner said the health system was not aware of any of its patients becoming the victims of fraud, and there was no evidence that medical histories or other health records were compromised.

The billing company, Medical Management LLC, a subsidiary of Zotec Partners in Carmel, Ind., fired the employee, UPMC said. Officials with Zotec Partners could not be reached for comment.

The U.S. Attorney’s office in Pittsburgh declined to comment on the theft.

According to UPMC, federal law enforcement agencies notified Medical Management of their criminal investigation into the employee, who worked in a call center and was illegally disclosing the data “to a third party.” The company “informed UPMC and numerous other health care providers of the theft.”

Zellner said more than 40 providers were affected. Neither Highmark Health nor Allegheny Health Network contract with Medical Management or Zotec, their spokesmen said.

Stolen electronic health records are worth as much as $50 per person on the black market, compared to $1 for each Social Security or credit card number, the FBI reported in 2014.

An individual’s full profile — with financial and personal data — could fetch as much as $500 per person, according to RSA, a computer security company in Bedford, Mass. Health information can be used to file false insurance claims, obtain prescription medication and receive free medical care, RSA said.

UPMC apologized for the theft and said it was looking at how it could protect its information better.

“We hold our vendors to the same high privacy standards that we have for ourselves,” said John Houston, UPMC’s vice president of privacy and information security. “Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.”

UPMC was the victim of a data breach last year in which Social Security numbers and other sensitive data from all 62,000 UPMC employees were stolen when thieves hacked into an employee database at the health system.

Personal information was stolen this year from about 52,000 Highmark Inc. insurance subscribers when hackers breached a database of tens of millions of patient records at insurer Anthem Inc.

Medical Management is sending letters to patients whose information might have been stolen, UPMC said. Patients who receive letters and have any questions can contact Kroll Inc., a company hired to provide identity theft protection services, at 855-330-6364.

Alex Nixon is a staff writer for Trib Total Media. He can be reached at 412-320-7928 or [email protected].

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.