The University of Pittsburgh Medical Center was trying to figure out how private information for about 80 patients, including names and Social Security numbers and even radiology images of their bodies, wound up on the Internet.
The information was first put on the Web inadvertently in 2005 then taken down. The information from a medical symposium held in 2002 was posted on an area of the Web site where the health system's faculty members are encouraged to share their work and other data, UPMC said in a statement Thursday.
Once the health network discovered patient names and other information were included, it was removed, but somehow it was posted again and remained on the Web site until UPMC was notified again on Tuesday, said Robert Cindrich, a former federal judge who now serves as UPMC's chief attorney.
UPMC was notifying the patients affected and offering to pay for credit protection services, just in case the information might have been used by identity thieves. No financial information about patients was posted, nor were patient addresses or other contact information.
"At this point we are not aware of any evidence to indicate that any of the information on the Web site has been misused," said John Houston, UPMC's vice president of information security and privacy.
UPMC's full release is below.
UPMC MOVES SWIFTLY TO RESOLVE ANY PROBLEMS CREATED BY POSTING OF PRIVATE PATIENT INFORMATION TO THE UPMC WEB SITE
UPMC Apologizes to Patients and Offers Free Credit Protection Services;
Improperly Revealed Information Has Been Removed from UPMC Web site
PITTSBURGH, April 12 - The University of Pittsburgh Medical Center (UPMC) is investigating a posting to a UPMC Web site which has led to the disclosure of some personal information of some current and former patients.
The discovery was brought to our attention on April 10 and the offending information was immediately removed from our site.
UPMC's preliminary investigation has determined that the names and social security numbers of approximately 80 patients were disclosed in a professional presentation that was prepared by a former University of Pittsburgh faculty member for a medical symposium that took place in 2002. The presentation also included selected data regarding some patients, including types of radiological examinations performed on them, the date and time of those examinations, and (in two patients' cases) additional related information.
Following the medical symposium, a copy of the former faculty member's presentation was posted on an area of the UPMC Radiology Department Web site where faculty members share academic information with other health care professionals.
While such sharing of academic knowledge is encouraged by UPMC, the unauthorized disclosure of personal patient information in any setting or format is strictly prohibited.
"In 2005, we discovered that this information was posted on a radiology Web site and we removed it. It was apparently inadvertently re-posted on the site," said Bob Cindrich, UPMC chief legal officer and general counsel. "At the same time we are continuing our review process and, in the event additional instances are found, patients will be notified. We are taking all possible measures to protect the individuals affected from any misuse of the information."
"We also are reviewing our Radiology Department Web site to determine whether there are other instances in which patient names and personal information may have been accidentally posted without our knowledge."
UPMC is apologizing to the patients for the disclosure of this information and is offering to pay for credit protection services.
"We are taking this matter extremely seriously," said John Houston, UPMC vice president of information security and privacy. "None of the disclosures included addresses or other contact information, or any financial information related to the affected patients. At this point we are not aware of any evidence to indicate that any of the information on the Web site has been misused."
UPMC is in the process of notifying all affected patients. UPMC also is informing all affected individuals that even though no personal financial information was posted, it will pay for credit protection services for them, through any national credit protection service, including Equifax, Experian and TransUnionCorp. Affected patients are being provided with contact information for these services.