UPMC Health Plan blamed a misfired email message for the release of personal information about 722 members.
The email meant for a physician's office in Lawrence County was sent instead to an incorrect address, revealing patient names, insurance membership numbers, birth dates and phone numbers, the Downtown-based insurer said today. It first confirmed the breach to the Post-Gazette on Tuesday.
Members' insurance plan types and primary-care physician offices also appeared in the email, although it did not include Social Security numbers or information about medical histories, according to UPMC Health Plan. The company said it discovered the problem June 4, sent an advisory letter to affected customers and told authorities as required by law.
"We apologize for any anxiety or inconvenience that this incident may cause our members. Based on our ongoing investigation, we will make all changes necessary to further enhance our already-stringent privacy protections," chief compliance officer William Gedman said in a statement.
The company alerted the Department of Health and Human Services on July 2, federal records show. It wasn't immediately clear who received the email or how the recipient handled the data, but UPMC Health Plan said that party "was contacted."
Affected members with questions can call (888) 876-3764, the company said.
More than two dozen significant breaches of patient data have struck Pennsylvania health insurers, care providers and other entities over the last three years, according to HHS. Each of those involved at least 500 people.
Adam Smeltz: asmeltz@post-gazette.com, 412-263-2625 or on Twitter @asmeltz
First Published: July 15, 2015, 3:01 p.m.