PITTSBURGH, April 12, 2007 The University of Pittsburgh Medical Center (UPMC) is investigating a posting to a UPMC Web site which has led to the disclosure of some personal information of some current and former patients.
The discovery was brought to our attention on April 10 and the offending information was immediately removed from our site.
UPMCs preliminary investigation has determined that the names and social security numbers of approximately 80 patients were disclosed in a professional presentation that was prepared by a former University of Pittsburgh faculty member for a medical symposium that took place in 2002. The presentation also included selected data regarding some patients, including types of radiological examinations performed on them, the date and time of those examinations, and (in two patients cases) additional related information.
Following the medical symposium, a copy of the former faculty members presentation was posted on an area of the UPMC Radiology Department Web site where faculty members share academic information with other health care professionals.
While such sharing of academic knowledge is encouraged by UPMC, the unauthorized disclosure of personal patient information in any setting or format is strictly prohibited.
In 2005, we discovered that this information was posted on a radiology Web site and we removed it. It was apparently inadvertently re-posted on the site, said Bob Cindrich, UPMC chief legal officer and general counsel. At the same time we are continuing our review process and, in the event additional instances are found, patients will be notified. We are taking all possible measures to protect the individuals affected from any misuse of the information.
"We also are reviewing our Radiology Department Web site to determine whether there are other instances in which patient names and personal information may have been accidentally posted without our knowledge.
UPMC is apologizing to the patients for the disclosure of this information and is offering to pay for credit protection services.
We are taking this matter extremely seriously, said John Houston, UPMC vice president of information security and privacy. None of the disclosures included addresses or other contact information, or any financial information related to the affected patients. At this point we are not aware of any evidence to indicate that any of the information on the Web site has been misused.
UPMC is in the process of notifying all affected patients. UPMC also is informing all affected individuals that even though no personal financial information was posted, it will pay for credit protection services for them, through any national credit protection service, including Equifax, Experian and TransUnionCorp. Affected patients are being provided with contact information for these services.