Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers’ compensation, USPS officials say.
The files were accessed during a previously reported September cyber intrusion that netted the Social Security numbers of about 800,000 USPS employees. Details of the health data breach are just now being revealed for the first time.
The agency does not face health data security fines or Health and Human Services Department breach notification violations, because the data was not part of an insurance plan.
About 485,000 employees, former employees and retirees whose medical details were potentially exposed received a notification letter last month, USPS spokesman David Partenheimer said.
The information potentially compromised was stored in "a file relating to injury compensation claims," USPS Chief Human Resources Officer Jeffrey Williamson said in the letter dated Dec. 10. "In addition, some of your medical information” associated with the claims may have been breached.
Unlike many hacked organizations, the agency had a leg up in tracking down the current home addresses of victims because of its mission.
"The Postal Service took steps to obtain current addresses for as many affected employees as possible through private contractors who used, among other sources, the Postal Service’s own National Change of Address database," Partenheimer said.
The medical data at issue consisted of injury diagnoses and procedure codes, as well as the physical location of the bodily harm, according to the letter, which Nextgov reviewed.
"Codes concerning the anatomical location and the nature of the work related injury" were potentially compromised, Williamson said. The data also included codes for medical, surgical and diagnostic services that were used for billing.
Victims are eligible for free credit monitoring, as are all USPS employees, who were notified of the general incident in November.
Can USPS Employees Sue for Breach of Medical Privacy?
About 4.9 million service members and their families affected by a 2011 Tricare military health insurance breach -- and, more recently, Sony employees victimized by a November hack -- filed class action lawsuits after their medical files were compromised.
USPS officials said, as of this week, they have not seen evidence that the data stolen from the agency has been used for identity theft or other malicious purposes.
Health records maintained by agencies, aside from federal benefit plans like Tricare, are not covered by the Health Information Portability and Accountability Act, or HIPAA. HIPAA mandates organizations use certain safeguards to keep electronic health information confidential and disclose breaches to victims within 60 days.
USPS did not notify HHS of the breach because the agency is "excluded from reporting breaches under HIPAA," said Rachel Seeger, senior adviser for the HHS Office for Civil Rights.
However, the compromised employee records are covered by federal privacy law.
In the case of the Postal Service, "what's most interesting to me is that the Privacy Act of 1974 gives federal employees a right to sue as a class for data breaches," said Deborah Peel, director of Patient Privacy Rights and a practicing psychiatrist.
Military personnel affected by the Tricare breach sued under the Privacy Act. The latest reported move in that litigation was a May 2014 decision by a D.C. federal judge to dismiss most of the charges. The court ruled that data loss alone, without evidence that the information was misused, did not merit damages.