Dive Brief:
- An employee of Medical Management LLC illegally copied patient information (patient names, dates of birth and Social Security numbers) and disclosed it to a third party between 2013 and 2015.
- Originally thought to be limited to the University of Pittsburgh Medical Center (UPMC) and about 2,200 patients who may have had their information exposed, the breach is now believed to involve three New Jersey hospitals (Englewood Hospital, Holy Name Medical Center and The Valley Hospital), according to The Record. 1,500 patients at both Englewood and Holy Name Hospitals received letters from Medical Management regarding the breach.
- Two Pennsylvania providers, Jefferson Hospital and Conemaugh Health System also reported that patients were possibly affected by the breach—up to 800 treated in Jefferson's emergency department and an undisclosed number at the Conemaugh Health System.
Dive Insight:
A statement by Medical Management said the company has terminated the employee and is cooperating with federal authorities in their criminal investigation. The company is providing all those who may have had their information disclosed a year of free identity theft protection.
UPMC's vice president of privacy and information security, John Houston, said in a statement: "We hold our vendors to the same high privacy standards that we have for ourselves. Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners."
The takeaway here for providers is to thoroughly vet third-party vendors and don't forget the breaches aren't always the result of oversees phishing schemes. "Many breaches have occurred as a result of an 'inside' job where employees have proven to be the weakest link," security and privacy expert Adam Levin, the chairman and founder of IDT911, tells Healthcare Dive, noting that such incidents aren't always intentional.
Want to read more? You may enjoy this feature on dealing with data breach from the inside.