University Times

UPMC last week announced that it is investigating a posting to a UPMC web site that has led to the disclosure of personal information on some current and former patients.

The discovery was brought to UPMC’s attention on April 10 and the confidential information was removed immediately from the web site.

UPMC’s preliminary investigation has determined that the names and social security numbers of approximately 80 patients were disclosed in a professional presentation prepared by a former Pitt faculty member for a medical symposium in 2002. The presentation also included selected data regarding some patients, including types of radiological examinations performed on them, the date and time of those examinations and (in two patients’ cases) additional information.

Following the medical symposium, a copy of the former faculty member’s presentation was posted on an area of the UPMC Department of Radiology web site where faculty members share academic information with other health care professionals.

While such sharing of academic knowledge is encouraged by UPMC, the unauthorized disclosure of personal patient information in any setting or format is strictly prohibited.

“In 2005, we discovered that this information was posted on a radiology web site and we removed it. It was apparently inadvertently re-posted on the site,” said Bob Cindrich, UPMC chief legal officer and general counsel. “At the same time we are continuing our review process and, in the event additional instances are found, patients will be notified. We are taking all possible measures to protect the individuals affected from any misuse of the information. We also are reviewing our radiology department web site to determine whether there are other instances in which patient names and personal information may have been accidentally posted without our knowledge.”

John Houston, UPMC vice president of information security and privacy, said, “We are taking this matter extremely seriously. None of the disclosures included addresses or other contact information, or any financial information related to the affected patients. At this point we are not aware of any evidence to indicate that any of the information on the web site has been misused.”

UPMC is in the process of notifying all affected patients and apologizing to them. UPMC also is informing all affected individuals that even though no personal financial information was posted, it will pay for credit protection services for them through any national credit protection service, including Equifax, Experian and TransUnionCorp. Affected patients are being provided with contact information for these services.