UPMC Employee Breach Linked to Fraud

Medical Center Now Says 27,000 Staff Members Impacted
UPMC Employee Breach Linked to Fraud

A data breach at the University of Pittsburgh Medical Center, which already has resulted in a lawsuit, compromised information on as many as 27,000 employees and led to 788 workers falling victim to tax fraud.

See Also: Hunt Cloud Threats or Be Hunted | CISO Guide to Cloud Compromise Assessments

Kraemer, Manes and Associates LLC, a Pittsburgh law firm, filed a lawsuit seeking class action status in a Pennsylvania court back in February, when the breach was thought to have affected far fewer employees. UPMC provided an update on the size of the breach on April 17.

A breach notification letter sent to UPMC employees says names, addresses and Social Security numbers were exposed.

The letter explains that some employees were targeted by a fraudulent tax return scheme. "We have ... determined that the source of information used to commit this crime was obtained through unauthorized access that allowed some personal employee information to be exposed," the notification letter says.

"We want to assure our patients that no patient information was breached," says Gloria Kreps, a spokesperson for UPMC. "We are continuing to work with the IRS, Secret Service and FBI to determine the source of the breach."

Impacted employees are being offered free identity theft protection services through LifeLock for one year. "We continue to urge our employees to register with LifeLock as an important step to deter any additional fraudulent activity," Kreps says.

Legal Action

Attorney Michael Kraemer, who was involved in filing the UPMC lawsuit, says the legal action was taken because employees' sensitive information "is out in the wild now."

"This is resulting in a massive amount of time [and] work spent trying to rectify this, making sure all accounts are secure, [utilizing] credit checks, LifeLock [as well as] emotional trauma," he says.

The law firm is suing UPMC for negligence, invasion of privacy and breach of implied contract. The suit seeks unspecified damages and asks that the medical center cover the cost of plaintiffs obtaining credit monitoring services for 10 years.

UPMC did not immediately respond to a request for additional information about the breach or a response to the lawsuit.

In an unrelated incident, UPMC notified 1,300 patients in December 2013 that their records were viewed inappropriately by an employee (see: Medical Center Breaches Lead Roundup).

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.