Radiology website inadvertently discloses private patient data

April 16, 2007

Personal private patient information was discovered this week on a University of Pittsburgh Medical Center radiology website, the Pittsburgh Post-Gazette reported Thursday.

Personal private patient information was discovered this week on a University of Pittsburgh Medical Center radiology website, the Pittsburgh Post-Gazette reported Thursday.

The names, social security numbers, insurance details, and medications of nearly 80 current or former UPMC Health System patients were found to have been posted on the medical center's radiology department website - for perhaps as long as two years - without patient permission, in direct violation of the Health Insurance Portability and Accountability Act.

UPMC reacted quickly to remove the information after learning of the privacy breach on April 10 from the newspaper.

"A faculty member had prepared a presentation for a professional society meeting. As presented, the patient information was masked, the faculty member says. But when it got posted on the website, it wasn't masked," said Richard Kidwell, UPMC director of patient safety and risk management. "I don't know why that was."

The presentation included types of radiological examinations performed on patients, the date and time of those examinations, and additional related information in two cases, according to UPMC.

An investigation is pending.

The confidential data were included in a PowerPoint presentation prepared for the 2002 RSNA meeting by Dr. Paul J. Chang, UPMC's former director of radiology informatics. Since June, Chang has been the vice chair of radiology informatics and medical director of pathology informatics at the University of Chicago Pritzker School of Medicine.

Following that RSNA meeting, a copy of Chang's presentation was posted on an area of the radiology department website where faculty members share academic information with other healthcare professionals. While such sharing of academic knowledge is encouraged, the unauthorized disclosure of personal patient information in any setting or format is strictly prohibited, UPMC said.

Chang said he thought that the data had been removed long ago.

"UPMC apparently experienced some sort of system failure, and when they restored to a previous backup, it somehow resuscitated the deleted PowerPoint presentation," he said.

The privacy breach reaches back as far as two years.

UPMC became aware of the breach in 2005 and had deleted the information from the website on that server, just before that particular server was to be taken out of commission, Kidwell said.

"However, they had already backed it up onto the new server coming online a week later, so when the new server came online, it had the old data on it," he said.

Kidwell cautioned other healthcare facilities to be diligent about what physicians and staff are doing with respect to presentations and postings on websites. A review of all radiology department web pages is being performed to determine whether there are other instances in which patient names and personal information may have been accidentally posted.

"We have software that scours our websites to try to find private patient information in text, but it didn't find this because parts of the PowerPoint presentation were taken from computer screen captures, so it went in the presentation as a picture, not as text," Kidwell said. "There is no software available that we know of that could have picked this up."

UPMC is in the process of notifying all affected patients. Even though no personal financial information such as credit card numbers was posted, UPMC is offering to pay for credit protection services for up to a year, through any national credit protection agency.

The patients also have the right to file a complaint with the Department of Health and Human Services' Office of Civil Rights, the official governmental hub for all HIPAA compliance issues. The government could then investigate and decide what, if anything, it wants to do.

HIPAA law specifies both civil and criminal penalties for wrongful disclosure of individually identifiable health information, including a fine of up to $50,000, imprisonment of not more than one year, or both.