HIPAA Violations: UPMC Employee Criminally Indicted

John Commins, September 21, 2010

A federal grand jury in Pittsburgh has indicted a former employee at the University of Pittsburgh Medical Center for allegedly stealing patient data in the first HIPAA-related prosecution in the Western District of Pennsylvania, federal prosecutors say.


Paul C. Pepala, 34, of Monroeville, PA, faces 14 counts related to the alleged disclosure of patients' data for personal gain in February 2008, when he was an employee at UPMC Shadyside Hospital. The indictment lists Pepala as the sole defendant.

The indictment alleges that Pepala disclosed to other people the names, birth dates and Social Security numbers of patients, in violation of HIPAA laws. This patient data was used to file false tax returns in 2008. Pepala was also charged with violating the Social Security Act by disclosing Social Security numbers.

The law provides for a maximum sentence of 80 years in prison, a fine of more than $4.7 million, or both.

John Commins

John Commins is a senior editor at HealthLeaders Media.

Facebook icon
LinkedIn icon
Twitter icon