USPS OWCP Medical File Hack Affected Nearly Half a Million Postal Workers. USPS data breach affected bank and/or medical information of postal workers injured on the job. USPS sent out individualized letters to postal employees with specific information about their particular situation. So all letters will not contain the same information.

From NextGov

Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers’ compensation, USPS officials say.

The files were accessed during a previously reported September cyber intrusion that netted the Social Security numbers of about 800,000 USPS employees. Details of the health data breach are just now being revealed for the first time.

The agency does not face health data security fines or Health and Human Services Department breach notification violations, because the data was not part of an insurance plan.

About 485,000 employees, former employees and retirees whose medical details were potentially exposed received a notification letter last month, USPS spokesman David Partenheimer said.

The information potentially compromised was stored in “a file relating to injury compensation claims,” USPS Chief Human Resources Officer Jeffrey Williamson said in the letter dated Dec. 10. “In addition some of your medical information” associated with the claims may have been breached.

The medical data at issue consisted of injury diagnoses and procedure codes, as well as the physical location of the bodily harm, according to the letter, which Nextgov reviewed. “Codes concerning the anatomical location and the nature of the work related injury” were potentially compromised, Williamson said. The data also included codes for medical, surgical and diagnostic services that were used for billing. Read more

Can USPS Employees Sue for Breach of Medical Privacy?

About 4.9 million service members and their families affected by a 2011 Tricare military health insurance breach — and, more recently, Sony employees victimized by a November hack — filed class action lawsuits after their medical files were compromised.

USPS officials said, as of this week, they have not seen evidence that the data stolen from the agency has been used for identity theft or other malicious purposes.

Health records maintained by agencies, aside from federal benefit plans like Tricare, are not covered by the Health Information Portability and Accountability Act, or HIPAA. HIPAA mandates organizations use certain safeguards to keep electronic health information confidential and disclose breaches to victims within 60 days.

USPS did not notify HHS of the breach because the agency is “excluded from reporting breaches under HIPAA,” said Rachel Seeger, senior adviser for the HHS Office for Civil Rights.

However, the compromised employee records are covered by federal privacy law.

In the case of the Postal Service, “what’s most interesting to me is that the Privacy Act of 1974 gives federal employees a right to sue as a class for data breaches,” said Deborah Peel, director of Patient Privacy Rights and a practicing psychiatrist. Read more

USPS will not notify active military postal employees

There are no special arrangements for notice to employees serving on active duty.

Also according to USPS, the free credit monitoring product is being offered “only to those individuals whose sensitive personal information, such as their social security number, was potentially compromised. Although the investigation is ongoing, we do not believe that any sensitive personal information of family members of employees was potentially compromised.”

Family members of USPS workers comp (OWCP) employees may be affected by data breach

Equifax tips to help keep personal and financial info secure following data breaches

USPS Data Breach Timeline

USPS Q & A on cyber intrusion and employee data compromise