HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases

More»

E-learning

  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation

More»

Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos


More»

Jun
03

Judge dismisses class-action suit against university hospital over data breach

Email This Post Print This Post

A Pennsylvania county judge has dismissed a class-action lawsuit that was brought against the University of Pittsburgh Medical Center (UPMC) last year over a data breach that potentially affected all 62,000 employees in the hospital system.

Judge R. Stanton Wettick sided with UPMC, ruling it was also a victim of the attack and heightened cybersecurity measures may not have prevented the breach, TribLive reports. Wettick further said there was no agreement stating UPMC would be held liable for security breaches.

Typically, when you think about healthcare breaches you think about employee snooping or hackers exposing the PHI of patients for medical identity theft. In this case, however, the hackers went straight to the employees to gain financial information. While this breach may not be considered a violation of HIPAA, it highlights weaknesses in UPMC systems.

The Pittsburgh Post-Gazette reported UPMC notified employees of the breach in February 2014 after confirming a payroll database was compromised and 22 people were victims of tax fraud as a result of the theft. The victims reported the theft to UPMC and an investigation was launched with the IRS, Secret Service, and FBI.

A month later, the number of victims increased to 322, and then 788 in April. TribLive reported that June that at least 817 employees across the health system, which includes 22 hospitals, were victims of tax fraud. UPMC had said 27,000 people were possibly affected and then acknowledged in June the breach might extend to every hospital employee.

The payroll system was separate from patient data and that fraud detection services were offered to all employees for free with the possibility of extending coverage for five years, a UPMC spokeswoman told TribLive. Social Security numbers, bank account numbers and other sensitive data were compromised in the breach.

Employees filed the class-action suit in February 2014, which was followed by a second suit that mistakenly implicated a software firm as well and which was quickly dropped.

The claims against UPMC were negligence in its failure to protect employees’ personal and financial data despite federal privacy guidelines for businesses and widespread industry information security standards, and breach of an implied contract with employees to protect that data.

Categories : Data Breach

Leave a Reply