Pittsburgh-based UPMC is notifying 2,200 patients that their data has been illegally disclosed by a third-party vendor employee.
In a statement, UPMC said a call center employee of Medical Management, a company that provides billing services to UPMC's physician group Emergency Resource Management, had accessed and copied patient information from the billing system over the past two years and disclosed that information to a third-party.
Potentially compromised information includes names, birth dates and Social Security numbers. UPMC has no evidence medical or treatment histories were disclosed.
MML notified UPMC of the data theft after federal law enforcement agencies told MML they were conducting a criminal investigation into the incident, according to the statement.
The call center employee has been fired from MML.
"We apologize for any anxiety or inconvenience that this incident may cause for our patients," said John Houston, vice president of privacy and information security of UPMC, in the statement. "We hold our vendors to the same high privacy standards that we have for ourselves. Based upon the ongoing investigation, we will make whatever changes might be necessary to further enhance our already stringent privacy protections, especially those that apply to our business partners.
More articles on data breaches:
Data breaches could cost $2.1T globally by 2019
Media coverage of data breaches drives 69% of companies to take another look at security: 5 things to know
9 latest data breaches