UMass Medical Group reports data theft by ex-employee

UMass Memorial Medical Group (UMMMG), Worcester, Mass., is reporting a breach of personal data of approximately 14,000 patients.

The medical group, an affiliate of UMass Memorial Health Care and the University of Massachusetts, said that an employee, since terminated, “may have accessed billing records outside of normal job duties from January 7, 2014 to May 7, 2014,” according to a public notice posted Friday. UMass Memorial Medical Group said the information “may have been accessed inappropriately and potentially for fraudulent purposes.”

The organization first learned of the breach April 9, 2014, but said law enforcement authorities did not give permission to notify affected patients or the public until last week.

“Also, in August 2014, law enforcement advised us that they found copies of some patient billing documents in possession of an unauthorized person. The precise information potentially accessed by the former employee varies with regard to different patients, but it may have included patients’ names, addresses, dates of birth, medical record numbers and Social Security numbers. The information also may have included credit or debit card numbers used for payments to UMMMG, phone number(s), email addresses and guarantors’ names, if any,” according to the notice.

UMass Memorial Medical Group has set up a dedicated call center to answer questions from those who believe they may have been affected. Those whose data was stolen will be offered free credit monitoring services, UMass Memorial Healthcare spokesman Anthony Berry told Clinical Innovation + Technology.

“The investigation is ongoing and we don’t have any more information at this point,” Berry added.