UPMC says billing contractor stole patient information
Personal data may have been stolen from more than 2,000 UPMC patients by an employee of an outside company the hospital giant used to handle emergency room billing, the latest in a string of data thefts to hit Pittsburgh health companies.
UPMC said Friday that the employee stole names, birthdates and Social Security numbers of patients from more than 40 health care providers across the country during the past two years, including about 2,200 UPMC patients who used the system’s emergency departments. Federal law enforcement agencies are investigating the incident, UPMC said.
Spokeswoman Wendy Zellner said the health system was not aware of any of its patients becoming the victims of fraud, and there was no evidence that medical histories or other health records were compromised.
The billing company, Medical Management LLC, a subsidiary of Zotec Partners in Carmel, Ind., fired the employee, UPMC said. Officials with Zotec Partners could not be reached for comment.
The U.S. Attorney’s office in Pittsburgh declined to comment on the theft.
According to UPMC, federal law enforcement agencies notified Medical Management of their criminal investigation into the employee, who worked in a call center and was illegally disclosing the data “to a third party.” The company “informed UPMC and numerous other health care providers of the theft.”
Zellner said more than 40 providers were affected. Neither Highmark Health nor Allegheny Health Network contract with Medical Management or Zotec, their spokesmen said.
Stolen electronic health records are worth as much as $50 per person on the black market, compared to $1 for each Social Security or credit card number, the FBI reported in 2014.
An individual’s full profile — with financial and personal data — could fetch as much as $500 per person, according to RSA, a computer security company in Bedford, Mass. Health information can be used to file false insurance claims, obtain prescription medication and receive free medical care, RSA said.
UPMC apologized for the theft and said it was looking at how it could protect its information better.
“We hold our vendors to the same high privacy standards that we have for ourselves,” said John Houston, UPMC’s vice president of privacy and information security. “Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.”
UPMC was the victim of a data breach last year in which Social Security numbers and other sensitive data from all 62,000 UPMC employees were stolen when thieves hacked into an employee database at the health system.
Personal information was stolen this year from about 52,000 Highmark Inc. insurance subscribers when hackers breached a database of tens of millions of patient records at insurer Anthem Inc.
Medical Management is sending letters to patients whose information might have been stolen, UPMC said. Patients who receive letters and have any questions can contact Kroll Inc., a company hired to provide identity theft protection services, at 855-330-6364.
Alex Nixon is a staff writer for Trib Total Media. He can be reached at 412-320-7928 or [email protected].