Two People Terminated for Impermissible Disclosures of Sensitive Data to Third Parties

Humana discovered that its business associate’s subcontractor had a worker who impermissibly disclosed the protected health information (PHI) of about 65,000 of members to a third-party for training purposes.

Humana hired Cotiviti to provide support in requesting medical records. And then, Cotiviti employed a subcontractor to check the requested health files. As per HIPAA, subcontractors of business associates also need to observe the HIPAA.

The privacy breach happened from October 12, 2020 to December 16, 2020. Cotiviti alerted Humana regarding the HIPAA breach on December 22, 2020. Jointly, Cotiviti and Humana took steps to make sure that safety measures are enforced to avert the same privacy violations later on. Also, the same safety measures are applied by any subcontractors it employs. The person who revealed the information is not working with the subcontractor anymore.

The types of records exposed consists of the member names’, telephone numbers, birth dates, addresses, email addresses, complete or incomplete Social Security Numbers, insurance identification numbers, medical record numbers, provider names dates of service, treatment details, and medical pictures.

Though the disclosures weren’t done for malicious reasons and it is considered that there were no more PHI disclosures, Humana is giving affected people two years of credit monitoring and identity theft protection services at no cost.

UPMC St. Margaret Terminates Worker for Impermissible Disclosure of Sensitive Data

UPMC St. Margaret has learned about the impermissible disclosure of the PHI of a number of of its patients by a worker to a third-party company without permission.

On August 2020, UPMC, St. Margaret found out that an organization received a medication management report even with no valid reason. The report comprised data for example names, UPMC ID numbers, and medicine administration information, like drug name, dosage, time/date of intake, and the rationale for medication intake.

Subsequent to the identification of the data breach, UPMC blocked the employee’s access to UPMC systems, and ended the individual’s job right after the investigation was over. The provider informed the impacted persons concerning the privacy violation on March 5, 2021. There was no explanation given for the late issuing the notification letters.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at