UPMC is warning that some patients' medical records may have been improperly accessed after an alert from a vendor connected to a national health data-exchange network. The Pittsburgh health giant said Tuesday it is notifying people who might be affected and has already contacted federal regulators. According to the system, the accessed information did not include Social Security numbers, but it could involve names, ages, diagnoses, and other details from patients' medical histories.
In a statement to WTAE, UPMC said it was alerted by its electronic health vendor that patient records might have been accessed through a national network used to exchange medical information. Health Gorilla, the company at the center of the alert, allegedly requested the data while asserting it had permission to treat those patients. UPMC said it is reaching out to individuals who may have been impacted and has set up a dedicated phone line for questions at 1-855-460-8762. The health system also reported the incident to the U.S. Department of Health and Human Services' Office for Civil Rights.
Why Health Gorilla Is Involved
Health Gorilla has already been under the microscope in a separate, high-profile clash over how third parties obtain and use clinical data. In January, Epic and several health systems filed a lawsuit alleging that Health Gorilla and affiliated companies enabled improper retrieval and monetization of patients' records, raising alarms over national exchange networks, according to Healthcare Dive. That court fight is distinct from UPMC's current notice, but it helps explain why a vendor warning that touches Health Gorilla would immediately get serious attention inside hospital IT departments.
Health Gorilla's Response
Reporting on the dispute says Health Gorilla has denied any wrongdoing and told investigators it is cooperating with inquiries while suspending the connections linked to the allegations, according to Becker's Hospital Review. What the company has said publicly, along with what it files in court, will help clarify whether the UPMC access ended up being a routine, properly authorized exchange of records or part of the broader pattern Epic described in its lawsuit.
What UPMC Patients Should Do
UPMC says it will contact affected patients directly, so keep an eye on your mail and email. Anyone with questions is asked to call 1-855-460-8762 and to wait for an official notice before sharing sensitive information. Be skeptical of any out-of-the-blue calls, texts, or emails that ask you to confirm medical details or provide passwords or full Social Security numbers, since legitimate notices from UPMC will not request those.
Patients who want to see how federal officials handle incidents like this can review guidance from the HHS Office for Civil Rights, which maintains resources and a public portal related to breach notifications and reporting.
Regulatory Angle
Because UPMC has informed the HHS Office for Civil Rights, the agency could decide to open a review under HIPAA's breach-notification rules. That process can include checking whether UPMC carried out appropriate risk assessments, notified patients on time, and followed other required steps. Federal guidance explains when covered entities must alert individuals and the HHS Secretary about a breach. If OCR concludes that rules were violated, it can impose corrective action plans and, in some situations, civil penalties that depend on the specific facts.
This story is still developing, and more details may emerge as UPMC, Health Gorilla, or federal regulators release additional information. For now, Pittsburgh-area patients who use UPMC should watch for official communications from the health system and use the hotline above if they think their records might be involved.
